Microsoft’s October Patch Tuesday delivers one of the largest security refreshes of the year, fixing a broad set of issues across Windows, Azure Entra, ASP.NET Core, SharePoint and related components — including two actively exploited local elevation-of-privilege zero-days and multiple critical remote-code-execution vulnerabilities that merit immediate attention from administrators and security teams.
Microsoft published the October 14, 2025 cumulative updates (notably KB5066835 for Windows 11) alongside a large security bulletin that covers vulnerabilities across client, server and cloud assets. The Windows 11 LCU for versions 24H2 and 25H2 ships as OS builds 26200.6899 and 26100.6899, respectively, and the roll‑up also folds in fixes from the September package KB5065789.
This month’s release includes fixes that are strictly security-related as well as quality and usability updates — everything from print‑preview hangs in Chromium-based browsers to gamepad input detection problems, PowerShell remoting timeouts, and Windows Hello setup issues with some USB IR camera modules. Administrators are urged to treat the security items as high priority while planning maintenance windows for the required restarts.
Key points administrators must note:
Source: CyberInsider Microsoft October Patch Tuesday for Windows 11 Fixes 175 Flaws
Background
Microsoft published the October 14, 2025 cumulative updates (notably KB5066835 for Windows 11) alongside a large security bulletin that covers vulnerabilities across client, server and cloud assets. The Windows 11 LCU for versions 24H2 and 25H2 ships as OS builds 26200.6899 and 26100.6899, respectively, and the roll‑up also folds in fixes from the September package KB5065789. This month’s release includes fixes that are strictly security-related as well as quality and usability updates — everything from print‑preview hangs in Chromium-based browsers to gamepad input detection problems, PowerShell remoting timeouts, and Windows Hello setup issues with some USB IR camera modules. Administrators are urged to treat the security items as high priority while planning maintenance windows for the required restarts.
What changed this month — headline fixes
Two actively exploited zero-days (local privilege escalation)
Microsoft patched two zero-day elevation-of-privilege vulnerabilities that were being exploited in the wild:- CVE‑2025‑24990 — an untrusted pointer dereference in the third‑party Agere modem driver (ltmdm64.sys). Microsoft removed the driver entirely from supported Windows installations as part of the October cumulative update; systems that rely on that driver for fax or dial‑up modem functionality will stop working after the update unless alternative drivers or hardware are used. Successful exploitation allows a local attacker to obtain administrative privileges even if the modem is not in use.
- CVE‑2025‑59230 — an improper access control issue in Remote Access Connection Manager (RasMan) that enables a locally authenticated attacker to escalate to SYSTEM privileges. Microsoft confirmed in‑the‑wild exploitation and credited MSTIC and MSRC with discovery and triage. Because RasMan is often present on many Windows builds, this is a high‑priority local escalation that can be chained to initial footholds.
Multiple critical remote code execution vulnerabilities
Beyond the two zero‑days, Microsoft addressed several critical vulnerabilities with extreme impact ratings. Among the most notable:- CVE‑2025‑59246 — Azure Entra ID vulnerability assessed at high/critical severity that could permit remote code execution or administrative compromise under certain conditions.
- CVE‑2025‑55315 — a severe ASP.NET Core HTTP request interpretation vulnerability (often described as request/response smuggling or security‑feature bypass) with a CVSS score reported near the top of the scale. This affects multi‑tenant and web‑facing ASP.NET Core deployments and can lead to confidentiality and integrity compromises if exploited.
- CVE‑2025‑49708 — Microsoft Graphics Component vulnerability tracked as critical; a remotely triggerable issue that could enable an attacker to achieve full system compromise in the right context.
- CVE‑2025‑59287 — an RCE in Windows Server Update Services (WSUS) with a high exploitability rating and a Microsoft assessment of “Exploitation More Likely.” WSUS sits at the heart of many enterprise patch deployments; exploitation here could allow malicious updates or code to be delivered through a trusted update pathway.
- CVE‑2025‑59228 — a SharePoint pre‑authentication RCE that allows attackers to execute code without prior authentication in certain configurations.
Microsoft’s removal of ltmdm64.sys and hardware impact
Rather than issuing a revised signed driver, Microsoft removed the legacy Agere modem driver (ltmdm64.sys) from the Windows image and prevented its re‑provisioning in October’s update. The practical effect:- In‑box distribution of the driver ends; systems that update will no longer have ltmdm64.sys present by default.
- Any fax/modem hardware that depends exclusively on that driver will cease to function until the vendor supplies a replacement driver or an alternative solution is deployed. Microsoft recommends eliminating dependencies on affected hardware and migrating to supported technologies.
Secure Boot certificate expiry: the calendar everyone must watch
Microsoft is actively warning administrators about the pending expiration of older Secure Boot certificates beginning in June 2026, and it is delivering new 2023 CA certificates via Windows Update well ahead of that date. If systems retain only the 2011 CA hierarchy and those certificates expire, devices may not accept updated boot components or future Secure Boot updates — with potential boot or update failures for affected platforms.Key points administrators must note:
- The affected certificate set includes the Microsoft KEK/UEFI/Option ROM certificates originally issued in 2011; replacements are the 2023 certificates. Microsoft (and many OEMs) will deliver updated certificates through Windows Update and OEM firmware as part of a staged rollout.
- Virtual machines and physical devices are both impacted; edge and air‑gapped systems require special handling since automated updates may not reach them. Organizations using managed update channels should verify that devices are receiving Microsoft’s certificate updates.
- Failure to update Secure Boot CAs could result in inability to install future Secure Boot updates and incompatibility with newly signed boot components and option ROMs after June–October 2026. Start inventorying firmware and Secure Boot state now.
Discrepancies in CVE counts — what to trust
Different security vendors and news outlets reported slightly different totals for the number of patched CVEs in October’s cycle (figures such as 167 and 175 have both circulated). These discrepancies stem from what is counted as part of Microsoft’s monthly disclosures:- Microsoft’s Security Update Guide and individual KB articles enumerate the OS and product fixes included in the rollout.
- Third‑party trackers may include or exclude items such as Chromium CVEs, third‑party bundled components, cloud‑only advisories, or advisories published earlier and consolidated into the month’s communication.
Risk analysis — what makes this month significant
- Active exploitation plus critical remote RCEs. The coexistence of local zero‑days being exploited in the wild and critical remote‑code‑execution flaws creates a high‑risk environment. An attacker with a low‑privilege foothold can chain local privilege escalations to achieve full control, while internet‑facing service RCEs offer initial access vectors directly.
- Supply‑chain and update pathway exposure. WSUS RCE (CVE‑2025‑59287) is particularly concerning; patching or compromising update infrastructure can multiply attacker reach across an organization’s estate. Given WSUS’s centrality in patch management, treat this as an emergency patch for WSUS servers and downstream clients.
- Operational impact from the driver removal. Removing ltmdm64.sys is secure but disruptive for niche hardware. Organizations that neglected legacy fax/dial‑up inventories now have limited time to replace hardware or adapt processes. This is a textbook tradeoff: improved baseline security at the cost of compatibility headaches for small but important user sets.
- Long‑lead system integrity risk (Secure Boot CAs). The Secure Boot certificate lifecycle requires firmware readiness and coordinated rollout. Even well‑managed enterprises risk partial failures and boot‑related problems if OEM firmware and certificate deliveries aren’t validated ahead of June 2026.
- Patch fatigue and complexity. The volume of fixes and the diversity of affected components increase the chance of missed patches, misapplied mitigations, or regressions. Test in representative staging environments where possible and prioritize based on exposure and exploitability.
Practical remediation checklist (recommended sequence)
- Inventory: Identify Windows endpoints, servers (including WSUS), and Azure Entra/SharePoint/ASP.NET hosts that match affected versions. Classify assets by exposure (internet‑facing vs internal) and business criticality.
- Emergency patching: Prioritize patching internet‑facing servers and WSUS management servers immediately. For endpoints, stage deployment using phased rings (pilot → broad → enforced).
- Backups and change windows: Back up critical systems (system state and user data), schedule restarts, and plan rollback procedures. Microsoft’s cumulative updates require restarts to finalize security fixes.
- Verify Secure Boot certificate readiness: Check Secure Boot state, firmware levels, and confirm that devices are receiving Microsoft’s certificate rollouts or that OEM firmware updates have been applied. Treat air‑gapped and special‑purpose devices as exceptions requiring manual remediation.
- Post‑patch validation: Validate services (WSUS, SharePoint, web apps), run regression checks for driver removal impacts (fax/modem workflows), and inspect event logs for signs of exploitation prior to patching.
Step‑by‑step: applying the Windows 11 October 2025 update (concise)
- Open Settings > Windows Update.
- Click Check for updates.
- When the October 14, 2025 update (KB5066835) appears, select Install all.
- Allow the update to download, install, and then restart the device to complete the patch process.
- After restart, confirm OS build is 26200.6899 (25H2) or 26100.6899 (24H2) in Settings > System > About.
Detection and hunting guidance
- Hunt for signs of local privilege escalation and lateral movement around the time of the update release (look for unusual process creations, service control changes, and unexpected use of RasMan-related APIs).
- For WSUS environments, verify the integrity of update catalogs and monitor for anomalous package additions or unauthorized configuration changes.
- Review web server logs for suspicious request sequences that could indicate exploitation attempts against ASP.NET Core (particularly malformed requests indicative of request/response smuggling attempts).
- Use endpoint telemetry to detect processes attempting to load or interact with ltmdm64.sys prior to removal, and flag attempts to reintroduce legacy drivers.
Strengths and weakness of Microsoft’s approach
- Strengths: Microsoft’s coordinated rollup (including removal of a legacy vulnerable driver) shows an emphasis on reducing long‑standing attack surfaces and providing consolidated guidance (KBs, MSRC entries, Secure Boot rollout documentation). The explicit inclusion of Secure Boot CA migration guidance months ahead of expiry is a valuable operational signal for enterprises.
- Weaknesses / Risks: The scale of fixes and the mixture of in‑place removals (ltmdm64.sys) and critical RCEs introduces operational risk — organizations with legacy fax hardware or inadequate WSUS change management may see service disruptions. Additionally, discrepancies in CVE counting across vendor reports can cause confusion; organizations focused on compliance reporting should reconcile counts against Microsoft’s authoritative guidance.
Unverifiable or unclear claims (caution)
- Exact CVE totals for the month: different security trackers reported 167 vs 175 CVEs. That difference reflects divergent counting rules (inclusion/exclusion of bundled Chromium and cloud advisories). Use Microsoft’s Security Update Guide as the definitive list for compliance purposes and document the counting convention used.
- Attribution details for exploitation campaigns: while Microsoft and CISA indicate in‑the‑wild exploitation for the two zero‑days, specifics about threat actor(s), extent of compromise, and campaign telemetry are not fully public; treat any external claims about scale or attribution with caution until organizations release forensic evidence.
Conclusion
October’s Patch Tuesday is a reminder that modern enterprise security is a race between discovery and rapid mitigation. The combination of two actively exploited local zero‑days, several critical remote code execution flaws (including a WSUS RCE), and a long‑lead operational change around Secure Boot certificates requires coordinated action: prioritize patching exposed services and update management infrastructure first, inventory and remediate legacy hardware dependencies, validate firmware and Secure Boot readiness, and prepare rollback/backups in case of regressions. The October cumulative updates (KB5066835 for Windows 11) and associated MSRC advisories are the authoritative starting point; treat this cycle as an operational emergency for high‑exposure assets and a scheduled project for broader estate hygiene.Source: CyberInsider Microsoft October Patch Tuesday for Windows 11 Fixes 175 Flaws
