October 2025 Patch Tuesday: 172 CVEs, WSUS RCE, Windows 10 End of Support

Microsoft’s October Patch Tuesday landed as a heavy-duty operational event: the industry is parsing a torrent of fixes — reported between roughly 167 and 175 distinct Microsoft CVEs depending on the tracker used — and administrators must now triage a set of high‑impact remote code execution flaws, multiple zero‑days (some already exploited), processor and TPM disclosures, and the formal end of mainstream Windows 10 support. The exact CVE total varies by outlet and inclusion rules, but the practical takeaway is straightforward: this is one of the largest, most consequential Patch Tuesdays in recent memory and it requires immediate, prioritized action.

---

Background / Overview​

Microsoft’s October 2025 cumulative security release closes a wide range of vulnerabilities across client and server OSes, Office, developer stacks and update infrastructure. Industry trackers report differing totals (commonly 167, 172, or 175 CVEs) because some outlets include separate cloud, Chromium/Edge, or third‑party advisories that Microsoft published outside the classic Windows/Office rollup. That counting variance does not reduce the operational urgency: several of the patched bugs are rated critical with CVSS scores near the top of the scale, and a subset were publicly disclosed or confirmed exploited prior to patching. This release also arrives on a calendar pivot: Microsoft’s scheduled end-of-support deadline for mainstream Windows 10 (October 14, 2025). With Windows 10 moving out of regular support for most SKUs, the ecosystem shift adds urgency for organizations that still run large Windows 10 fleets. Microsoft’s guidance and Extended Security Updates (ESU) options are now the formal path for staying patched past this date.

---

Headline risks and what to patch first​

The “WSUS” emergency: CVE‑2025‑59287 (Remote Code Execution — CVSS 9.8)​

• What it is: a deserialization vulnerability in Windows Server Update Services (WSUS) that allows unauthenticated remote attackers to trigger unsafe object deserialization and achieve remote code execution. The vendor-rated CVSS is 9.8, and Microsoft assessed “Exploitation More Likely” for this flaw.
• Why it matters: WSUS sits at the heart of many on‑premises update pipelines. A successful exploit could let an attacker distribute arbitrary payloads through a trusted update channel, drastically increasing blast radius and enabling rapid lateral movement.
• Operational action: prioritize patching WSUS servers immediately, validate WSUS catalog integrity after patching, and temporarily restrict WSUS network exposure if patching must be delayed. Multiple independent vendors flagged this flaw as top priority in their Patch Tuesday analysis.

Locally exploited zero‑days that must be mitigated fast​

• CVE‑2025‑59230 — Remote Access Connection Manager (RasMan) elevation of privilege: Microsoft confirmed exploitation in the wild. This is a local improper access‑control EoP that can elevate a low‑privileged user to SYSTEM and is a common chaining target for attackers. Patch immediately and hunt for indications of local privilege escalation.
• CVE‑2025‑24990 (and CVE‑2025‑24052) — Agere modem (ltmdm64.sys) driver: Microsoft removed the legacy Agere modem driver shipped in many Windows images to eliminate the attack surface after active exploitation was observed. The removal mitigates the immediate security risk, but organizations using fax/modem hardware that depend on that specific driver will experience service loss after applying updates. Inventory affected hosts before mass deployment and communicate with impacted business units.
• CVE‑2025‑47827 — IGEL OS Secure Boot bypass: Although the underlying bug exists in IGEL OS (prior to version 11), the security implications extended into Windows environments via firmware/UEFI revocation and Secure Boot policy updates; Microsoft’s rollup includes mitigations that effectively revoke the affected UEFI asset. IGEL and independent researchers documented the bypass and in‑the‑wild exploitation.

---

Deeper technical context: processor, TPM, and driver issues​

AMD SEV‑SNP: CVE‑2025‑0033 (RMP initialization race — “RMPocalypse”)​

A hardware/firmware race condition in AMD’s SEV‑SNP implementation can permit a privileged hypervisor to corrupt the Reverse Map Table (RMP) during initialization. The result undermines SEV‑SNP integrity guarantees and threatens confidential VM isolation on affected EPYC families. AMD published a vendor advisory and mitigation guidance; cloud providers (including Azure Confidential Compute) are coordinating updates for host firmware and hypervisor stacks. Because exploitation requires administrative hypervisor privileges, this is a high‑impact but not trivial remote attack — it is primarily a concern for cloud/confidential compute operators and hypervisor administrators. Track AMD’s bulletin and apply microcode/firmware and hypervisor updates as vendors release them.

TPM 2.0 reference implementation: CVE‑2025‑2884 (CryptHmacSign out‑of‑bounds read)​

A flaw in the TPM2.0 reference implementation’s CryptHmacSign helper can produce an out‑of‑bounds read that may disclose sensitive material. Because the TCG reference implementation informs many downstream OEM TPM firmware builds, the discovery maps quickly into vendor-specific TPM firmware and platform impacts. Microsoft treated this as a zero‑day for affected platforms and rolled mitigations for Windows 11 and newer server SKUs; older Windows versions may receive limited remediation guidance, increasing the migration pressure for legacy installs. This is a cross‑supply‑chain problem: firmware vendors must issue updates and administrators must coordinate platform firmware rollouts.

Legacy kernel drivers: the Agere modem removal​

Microsoft removed ltmdm64.sys — a legacy Agere soft‑modem driver — rather than deliver an in‑place vendor patch. That decision eliminates risk from an unmaintained kernel driver but causes real operational impact where fax/modem hardware remain in use. The security trade‑off is stark but defensible: removing unmaintained kernel code reduces attack surface for thousands of systems. Organizations that absolutely require modem functionality should prepare alternative hardware or vendor‑maintained drivers before mass deployment.

---

Lifecycle and the Windows 10 finale: practical implications​

October’s rollup coincided with Microsoft’s formal end of mainstream support for consumer and most enterprise Windows 10 SKUs (October 14, 2025). Microsoft’s documented guidance explains options: upgrade eligible hardware to Windows 11, enroll devices in the Windows 10 Consumer ESU program (one‑year options exist for qualifying scenarios), or accept increasing residual risk for unsupported systems. For enterprises that must keep Windows 10 long‑term (medical devices, industrial control), the Long Term Servicing Channel (LTSC) and paid ESU programs are the typical options — both carry costs and operational complexity. Plan migrations now; the risk of running unpatched Windows 10 only grows as high‑severity bugs are discovered.

---

Where reporting and counts diverge (and why that matters)​

Multiple outlets reported different CVE totals for October’s release: common tallies include 167, 172, or 175 Microsoft‑tracked CVEs. The divergence stems from inclusion rules:

• Some trackers include cloud‑only advisories (Azure Linux/Mariner), third‑party libraries and Chromium/Edge advisories Microsoft published separately earlier in the month.
• Others restrict the count to Windows/Office/Exchange/etc. advisories only.
  For operational teams, the concrete enumeration matters less than mapping your assets to the specific KB/security update IDs and CVEs. Treat per‑asset exposure as decisive; headline CVE counts are a signal, not a substitute for asset‑centric triage.

---

Practical, prioritized remediation playbook​

Security teams should execute the following prioritized steps in the first 72 hours after release:

• Emergency triage (hours 0–72)
• Patch WSUS servers immediately (CVE‑2025‑59287). If WSUS cannot be patched within a narrow window, isolate the service from untrusted networks and restrict administrative access.
• Patch domain controllers, email servers (Exchange), and internet‑facing services that appear in the update advisories next.
• Apply the RasMan and Agere driver fixes to endpoints and servers in high‑value segments; track hosts that depend on the removed modem driver to avoid service surprises.
• Rapid validation and hunting (days 1–7)
• Validate update deployment and rollback strategies on test systems.
• Hunt EDR logs for indicators of local privilege escalation and unusual WSUS/SCCM/patch distribution activity.
• Confirm firmware/UEFI/TPM firmware status on platforms that rely on TPM-backed keys (e.g., BitLocker, Windows Hello for Business).
• Operational stabilization (week 1)
• Reconcile KB→CVE→SKU mappings in your patch automation and CMDB.
• Communicate to business units about the Agere driver removal and potential device impact.
• Coordinate with cloud/hardware vendors to schedule microcode and hypervisor updates for AMD‑related mitigations.
• Longer‑term: feet on the floor (weeks 2–8)
• Replace or remove legacy drivers and out‑of‑support firmware from images.
• Reassess Windows 10 fleet migration strategy and ESU enrollment where appropriate.
• Harden update pipelines (signing, access control, monitoring) to reduce the blast radius of any future supply‑chain compromise.

Follow these actions in order: inventory → protect update infrastructure → patch critical hosts → hunt and validate. This sequence minimizes risk from both the patched vulnerabilities and any latent active exploitation.

---

Detection and compensation guidance (quick checks)​

• WSUS: check for unexpected package catalogs, unknown signatures, and unexpected outbound connections from WSUS servers. Validate update catalog signing artifacts and review event logs around update ingestion.
• RasMan/Local EoPs: hunt for anomalous user processes spawning SYSTEM services, new scheduled tasks, modifications to service binaries, and unusual use of privilege elevation utilities.
• Agere/driver removal: enumerate hosts for ltmdm64.sys in C:\Windows\System32\drivers or via inventory tooling; notify owners of impacted endpoints.
• TPM: monitor UEFI/TPM firmware update logs, attestation failures, and unexpected key policy changes.
• AMD/SEV‑SNP: if running confidential compute or hosting VMs on AMD EPYC hardware, consult cloud or OEM advisories and plan coordinated firmware/microcode/hypervisor deployments.

---

Strengths and weaknesses of Microsoft’s response​

Strengths​

• Rapid triage: Microsoft and its security teams (MSRC, MSTIC) detected in‑the‑wild exploitation for several local EoPs and coordinated disclosure and updates quickly.
• Consolidation: bundling related fixes into a single cumulative release reduces the frequency of fragmented emergency rollouts and clarifies KB mappings for enterprises.
• Hardening posture: removal of legacy kernel code (ltmdm64.sys) shows a pragmatic decision to eliminate unmaintained attack surface rather than attempt fragile in‑place kernel fixes.

Weaknesses and operational fallout​

• The driver‑removal remediation (Agere) creates immediate operational regressions for organizations that still depend on fax/modem hardware, forcing urgent inventory and potential hardware replacements.
• Cross‑vendor coordination gaps: hardware/firmware problems (AMD SEV‑SNP, TPM reference implementation) show the complexity of fixes that require coordinated microcode, firmware, and vendor stacks — which lengthens the time to full remediation.
• Messaging ambiguity: inconsistent CVE counts in press coverage can confuse non‑technical stakeholders; the definitive mapping must come from Microsoft’s Security Update Guide and KB release notes. Flag any headline claims and verify asset exposure using vendor KBs.

---

Cross‑checked facts and flagged unverifiable claims​

• Counts and classification: multiple reputable vendors report between 167 and 175 Microsoft CVEs for October’s rollout; the 172 figure appears in credible trade coverage but is not universal. Treat differences as an artifact of inclusion criteria (cloud-only advisories, Chromium patches, etc.. This is verifiable by comparing Microsoft’s Security Update Guide with vendor trackers.
• Microsoft and TCG founding membership: Microsoft was a founding promoter of the Trusted Computing Group (successor to the TCPA), so statements noting Microsoft’s institutional role in the TPM ecosystem are accurate. However, attributing knowledge or timing of a specific TCG errata to Microsoft’s internal awareness is speculative unless Microsoft explicitly states so. Flag such attribution as inference, not established fact.
• Processor vulnerability impact: AMD’s CVE‑2025‑0033 (SEV‑SNP RMP issue) is documented by AMD; the practical exploitability context (requires hypervisor admin) is confirmed in vendor advisories. Any press claims about mass cloud compromise or immediate exfiltration should be treated cautiously unless backed by independent exploit evidence. Cross‑reference AMD’s bulletin and NVD entries for vendor guidance before altering production hypervisor configurations.

---

Longer view: what this Patch Tuesday signals for Windows ops​

• Legacy code is being excised. Microsoft’s removal of ltmdm64.sys shows an explicit preference: if legacy, unmaintained kernel code poses material risk, remove it and force operational change rather than ship brittle, partial fixes.
• Supply‑chain and firmware complexity will continue to dominate risk. The TPM and AMD issues illustrate how hardware, firmware, hypervisors and OS stacks interlock — and how fixes can require coordinated vendor action.
• The Windows 10 lifecycle boundary changes risk calculus for many smaller organizations and consumers. Without free ongoing security updates, Windows 10 devices drift toward greater exposure; ESU is a stopgap, not a long‑term strategy. Plan migrations sooner rather than later.

---

Final assessment and takeaways​

October’s Patch Tuesday is not just “another month” — it is an operational milestone. The mix of a high‑severity WSUS RCE (wormable potential), multiple actively exploited local zero‑days, processor and TPM disclosures, and the formal retirement of mainstream Windows 10 support creates a rare confluence of risk and timing.

• Immediate priorities: patch WSUS and update management servers, remediate RasMan and other actively exploited zero‑days, and inventory dependence on removed drivers (ltmdm64.sys).
• Mid‑term priorities: coordinate firmware/hypervisor updates for AMD mitigations, validate TPM firmware status and rollout updates, and accelerate Windows 10 migration or ESU planning for at‑risk assets.
• Organizational priorities: communicate clearly to stakeholders about any functional regressions (fax/modem removal), and map CVEs to installed SKUs in your CMDB so remediation is trackable and auditable.

This Patch Tuesday is a test of process more than technology: organizations that maintain current inventories, enforce strict update‑pipeline protections for their patch‑distribution infrastructure, and prioritize infrastructure updates (not just endpoint rollouts) will weather the event far better than those relying on ad‑hoc patching. The practical blueprint is well known: inventory, prioritize, patch, validate, and hunt — in that order.

---

Conclusion
The October security sweep demands disciplined execution. Apply emergency patches to update infrastructure and exploited zero‑days, coordinate firmware and hypervisor updates with cloud and OEM vendors, and resolve the operational consequences of driver removals before broad deployment. Treat headline CVE counts as the starting point for asset‑specific triage, not the end goal. The security calculus has shifted: fewer places to hide for legacy, unmaintained code — and more reason than ever to keep update pipelines fast, verifiable, and tightly monitored.

---

Source: SecurityBrief Australia October Patch Tuesday reveals 172 Vulnerabilities