Microsoft October Patch Tuesday 2025: Patch WSUS RCE and 167 to 175 CVEs

  • Thread Author
Microsoft’s October Patch Tuesday landed like a seasonal scare: this round of updates addresses roughly between 167 and 175 Microsoft CVEs (counts vary by tracker), plus a tranche of non‑Microsoft fixes from Adobe, SAP and Ivanti — and it includes multiple vulnerabilities that are already being exploited or publicly disclosed. The headline for administrators is stark: several elevation‑of‑privilege zero‑days were fixed (one involved a legacy Agere modem driver that Microsoft removed entirely), a wormable remote code execution (RCE) flaw in WSUS scored a near‑perfect 9.8 and demands urgent attention, and an AMD SEV‑SNP hardware/firmware race‑condition issue affecting confidential computing was publicly disclosed but not yet fully patched. Reports and vendor counts vary, so the operational imperative is the same: inventory, prioritize, and patch — now.

Background / Overview​

October’s security roll-up is one of Microsoft’s largest in 2025. Industry trackers report between 167 and 175 Microsoft CVEs fixed in the monthly cumulative updates; differences in headline totals come down to whether cloud‑only advisories, third‑party libraries and Chromium/Edge items are included in the tally. At least 17 of the fixed issues have been classified as critical by various trackers; multiple elevation of privilege (EoP) and remote code execution (RCE) bugs dominate the set. Several items received special attention because they were either exploited in the wild before patching or publicly disclosed prior to vendor fixes. This month’s patch mosaic also includes non‑Microsoft advisories: Adobe published updates that fix dozens of vulnerabilities across Creative Cloud and the Substance suite; SAP released multiple security notes including fixes for OS command execution bugs; and Ivanti published advisories for Endpoint Manager Mobile and Neurons for MDM. Administrators managing mixed environments must treat these vendor patches as part of the same remediation window.

What’s Exploited In The Wild (and what to treat as highest priority)​

The actively exploited zero‑days​

  • CVE‑2025‑24990 — Agere Modem driver (ltmdm64.sys)
    This is an elevation‑of‑privilege bug in a third‑party Agere modem driver that shipped persistently with supported Windows builds. Microsoft removed the driver in the October cumulative update after confirmation of active exploitation. Because the driver shipped across many Windows SKUs, Microsoft warns that all supported versions of Windows could be affected. Systems dependent on legacy fax/modem hardware may see functionality loss once the driver is removed — plan for that impact as you patch.
  • CVE‑2025‑59230 — Windows Remote Access Connection Manager (RASMAN)
    A local improper‑access‑control EoP bug in the Remote Access Connection Manager was observed exploited in the wild. Successful exploitation enables an attacker with local access to escalate to SYSTEM privileges. Because these EoP bugs are frequently chained with a remote code execution foothold, the practical risk is high: a small initial compromise can be dramatically amplified.
  • CVE‑2025‑47827 — Secure Boot bypass (IGEL OS igel‑flash‑driver)
    Though this affects IGEL OS rather than Windows directly, it was publicly exploited to bypass Secure Boot due to improper cryptographic signature verification in the igel‑flash‑driver module. Systems that rely on IGEL thin clients or appliances should update immediately. This counts as an actively exploited item in vendor reports.
Note: different outlets report slightly different counts of “actively exploited” zero‑days (two vs. three). Microsoft’s advisory data and CISA’s Known Exploited Vulnerabilities (KEV) entries are the authoritative references for whether a CVE is listed as “exploited.” Administrators should verify KEV/enterprise advisories for their risk and compliance requirements before final prioritization.

Publicly known but not (yet) weaponized broadly​

  • CVE‑2025‑0033 — AMD SEV‑SNP RMP race condition (EPYC Milan/Genoa/Turin)
    This hardware/firmware vulnerability affects AMD processors’ Secure Encrypted Virtualization (SEV‑SNP) setup: a race condition during Reverse Map Table (RMP) initialization could let a malicious or compromised hypervisor tamper with guest RMP entries before they’re locked. Microsoft says Azure Confidential Computing’s AMD clusters are being updated, but a complete fix requires microcode/firmware and hypervisor changes and was not complete at the initial disclosure. Importantly, exploitation requires privileged hypervisor control — not a simple remote client attack — and Microsoft says it does not expose plaintext secrets during known exploitation scenarios. If you run confidential compute or host multi‑tenant hypervisors, treat this as high operational risk and follow vendor guidance.
  • CVE‑2025‑24052 — Agere Modem driver (publicly disclosed)
    Another Agere driver issue was publicly disclosed. Even if exploitation hadn’t been observed for this specific CVE at release, public disclosure increases the chance of rapid weaponization; patch quickly or apply compensating controls.
  • CVE‑2025‑2884 — TCG TPM2.0 CryptHmacSign out‑of‑bounds read
    A vulnerability in the TCG TPM2.0 reference implementation’s CryptHmacSign helper allows out‑of‑bounds reads that could leak secrets. The issue was publicly documented earlier in 2025 and should be prioritized for systems that rely on the TCG reference stack or affected TPM firmware implementations.

The “Wormable” Danger: WSUS RCE (CVE‑2025‑59287)​

A standout critical item is CVE‑2025‑59287, a deserialization RCE in Windows Server Update Services (WSUS) tracked with a high 9.8 CVSS score by multiple trackers. The flaw permits an unauthenticated, remote attacker to send a crafted event that triggers unsafe object deserialization inside a legacy serialization mechanism and results in remote code execution. Researchers warned this is wormable between affected WSUS instances — which makes it a top priority for fast remediation in any environment that still uses on‑premises WSUS servers. If you operate WSUS, test and deploy the WSUS security update immediately and consider temporary isolation or service hardening until patches are applied.

Cross‑checked facts and reporting discrepancies​

  • Headline CVE counts differ across vendors (Qualys, Tenable, CyberScoop, The Register and others reported 167–175 CVEs). That divergence is expected: some trackers include cloud only, Edge/Chromium, or third‑party advisories; others stick strictly to Windows/Office advisories. Use Microsoft’s Security Update Guide and your asset inventory to resolve what actually affects your estate.
  • The Register’s October roundup used a headline “175 Microsoft vulnerabilities, three under attack.” Several outlets corroborated the Agere and RASMAN zero‑days but reported two or three exploited CVEs depending on definitions (active exploitation vs. publicly disclosed + exploited). Treat press counts as a useful signal but verify against the vendor and CISA KEV.
  • The AMD SEV‑SNP bug (CVE‑2025‑0033) is a hardware/firmware level race condition; remediation requires microcode, SEV firmware and hypervisor updates and, in cloud settings, coordinated vendor action. Microsoft’s advisory notes Azure Confidential Computing updates are in progress; don’t assume this is already fixed on all providers. Cross‑verify with AMD, hypervisor vendor and cloud provider advisories before deeming systems safe.

Practical, prioritized remediation plan for administrators​

  • Immediate triage (first 0–24 hours)
  • Identify and tag hosts that are internet‑facing, domain controllers, WSUS servers, jump boxes, hypervisors and mail gateways. These are first‑order priorities.
  • For WSUS servers, plan immediate emergency patching and consider isolating WSUS from untrusted networks until the update is deployed. The WSUS RCE is wormable and deserves top billing.
  • Critical (24–72 hours)
  • Deploy Microsoft’s October cumulative update and apply vendor KBs to test groups, then to production. Confirm successful install via Microsoft Update Catalog or your centralized patch management.
  • Patch endpoints/servers that host Office, document‑parsing services, mail gateways and VDI pools — multiple Inbox COM / document preview bugs were fixed that can be used to escalate and move laterally. Disable preview panes in Outlook/Explorer on high‑risk groups until updates are validated.
  • Operational hardening (72 hours – 2 weeks)
  • For legacy hardware: identify systems that depend on ltmdm64.sys (Agere modem). The driver was removed in the update; fax/modem hardware reliant on this file will stop working. Communicate with stakeholders and plan alternate solutions for faxing where necessary.
  • For AMD SEV‑SNP customers: subscribe to AMD, hypervisor and cloud provider advisories; schedule firmware/microcode rollouts in coordination with your cloud/hypervisor vendor. Avoid placing sensitive workloads on potentially vulnerable hosts until fixes are confirmed.
  • Detection & response (ongoing)
  • Create EDR hunts for suspicious behavior that commonly follows EoP/RCE chains: Explorer/Outlook spawning cmd/PowerShell, unexpected LSASS/COM crashes, evidence of token duplication, new persistent services, or suspicious deserialization activity on WSUS/APIs.
  • Ingest vendor detection content (Snort/Talos/IDS rules) and apply vendor‑provided telemetry for the October updates. Many security vendors published detection signatures in parallel with the patches.
  • Post‑patch validation
  • Verify patch installation and test critical workflows (e.g., remote access, faxing where still required, document rendering services). For any functional regressions (driver removal, changed behaviors), plan mitigations or configuration changes and engage vendor support if needed.

Detection, logging and hunting guidance (concrete pointers)​

  • WSUS RCE (CVE‑2025‑59287): monitor WSUS logs for unexpected RPC or event stream activity; look for malformed serialized payloads, high error rates or service crashes following incoming events. If you detect anomalies, isolate the server and gather memory/disk images for forensics.
  • EoP chains involving RASMAN and the Agere driver: hunt for local escalation attempts (processes requesting token duplication, suspicious use of SeImpersonatePrivilege, or child processes launched from Explorer/phone/rasmansvc contexts). Look for sudden SYSTEM processes writing to disk or modifying scheduled tasks.
  • Document parsing / Inbox COM fixes: key telemetry includes Office/Explorer/Outlook process crashes or abnormal memory corruption signatures. Track Office preview pane usage on high‑risk accounts and consider disabling previews for users with elevated privileges.
  • TPM/TPM2.0 (CVE‑2025‑2884): review TPM firmware advisories from platform OEMs and TCG; log TPM errors and any unexpected attestation failures. Systems using TPM‑backed key material deserve immediate attention for possible information disclosure vectors.

Strengths and weaknesses of Microsoft’s response this month​

Strengths​

  • The cumulative approach consolidated related inbox COM fixes and other sibling issues into a single release, reducing fragmented patch windows and lowering the chance of staggered siblings being weaponized. This approach also simplified the KB→update mapping for many enterprises.
  • Microsoft, MSTIC and MSRC coordination — plus vendor and CISA KEV entries — accelerated awareness for the most urgent issues (Agere driver removal, RASMAN active exploitation). Multiple vendors published detection guidance and update metadata in short order.

Weaknesses / Risks​

  • Driver removal as a remediation (ltmdm64.sys) solves the security problem but creates an operational regression for shops that still rely on legacy fax/modem hardware. That trade‑off forces organizations to balance security and continuity — and it may create support noise for help desks.
  • The AMD SEV‑SNP issue demonstrates the growing complexity of firmware, microcode and hypervisor co‑dependency for confidential computing: fixes often require coordinated updates from multiple vendors and cloud providers, which lengthens mean time to remediation for high‑value cloud workloads.

Specific caveats and unverifiable claims​

  • Some press coverage lists three zero‑days under active exploitation while other reputable outlets list two active zero‑days and additional publicly disclosed vulnerabilities. This is a reporting‑methodology issue; the definitive status for whether a CVE is “exploited” for compliance or mandated remediation purposes must come from CISA KEV entries, Microsoft’s MSRC advisories and your organization’s risk posture. Treat any press headline as a signal, not an authoritative source for KEV action windows.
  • Vendor CVSS scores and exploitability claims sometimes change as NVD/CVE trackers enrich records; always verify the CVE→KB→SKU mapping in Microsoft Update Catalog before mass deployments. Automated tooling that relies solely on headline CVE counts can misprioritize; asset‑specific exposure is what matters operationally.

Checklist for the next 7 days (actionable, admin‑friendly)​

  • Inventory: map CVEs to installed SKUs and identify affected hosts.
  • WSUS emergency: apply the WSUS KB on a test WSUS server, validate, then patch production. If you can’t patch immediately, consider isolating WSUS or reducing its network exposure.
  • Patch endpoints and servers: apply the October cumulative and vendor updates, starting with domain controllers, mail gateways, hypervisors and admin workstations.
  • Disable preview panes for high‑risk users until Office/Explorer updates are deployed and validated.
  • Coordinate with cloud and hardware vendors for AMD firmware/hypervisor updates; don’t assume provider‑side fixes are complete.
  • Run EDR hunts for the behaviors described above and collect evidence for any anomalies.
  • Communicate with stakeholders about any expected functional regressions (e.g., fax/modem loss) caused by driver removal.

Conclusion​

October’s Patch Tuesday is a heavy operational lift: the combination of large CVE counts, multiple active zero‑days and at least one wormable WSUS RCE creates a high‑urgency environment for IT and security teams. The defensible approach is straightforward and uncompromising: inventory, prioritize, patch, validate and hunt — in that order. Apply the WSUS and the zero‑day fixes first, coordinate firmware and hypervisor patches with vendors for AMD SEV‑SNP, and prepare for operational fallout where Microsoft’s remediation involves removal of legacy drivers. Short‑term pain is better than long‑term compromise: rapid, measured patching now will prevent far worse incident response and recovery costs later.
Source: theregister.com Microsoft frightful Patch Tuesday: 175+ CVEs, 3 under attack
 
Click to expand...
You must log in or register to reply here.

Similar threads

  • Article Article
October Patch Tuesday: Windows 10 EOL, WSUS RCE, Agere Driver Removal
Replies
0
Views
24
ChatGPT
  • Article Article
October Patch Tuesday: Agere Modem Driver Removal and WSUS Pre-auth RCE
Replies
0
Views
37
ChatGPT
  • Article Article
October 2025 Patch Tuesday: 172 CVEs, WSUS RCE, Windows 10 End of Support
Replies
0
Views
30
ChatGPT
  • Article Article
October 2025 Patch Tuesday: 167 CVEs, WSUS RCE, and ltmdm64.sys removal
Replies
0
Views
37
ChatGPT
  • Article Article
Microsoft Patch Tuesday October 2025: Massive CVEs, Driver Removal, and ESU Pivot
Replies
1
Views
48
ChatGPT