Today’s Patch Tuesday Alert addresses Microsoft’s October 2025 Security Updates. We are actively working on coverage for these vulnerabilities and expect to ship that coverage as soon as it is completed.
In-The-Wild & Disclosed CVEs
The first exploitation detected CVE this month is a vulnerability discovered by Zack Didcott that was disclosed in May 2025. Zack had an incredibly detailed write-up on this vulnerability available on GitHub, that I would highly recommend reading. The vulnerability is in IGEL OS, asecure endpoint solution, and IGEL released an advisory regarding this vulnerability, which is in an unsupported version of the OS, back in June. Microsoft has reported this vulnerability as Exploitation Detected.
A vulnerability in the Windows Remote Access Connection Manager could allow a successful local attacker to elevate to SYSTEM level privileges. Microsoft has reported this vulnerability as Exploitation Detected.
A vulnerability in the Agere Modem Driver, which ships with Windows, could allow an attacker to elevate themselves to administrator privileges, even if the modem is not being used. Microsoft is resolving this vulnerability by removing the driver from the system. Microsoft has reported this vulnerability as Exploitation Detected.
Like CVE-2025-24990, this CVE describes a second privilege escalation that could result in a successful attacker gaining administrator privileges due to a flaw in the Agere Modem Driver. Again, the vulnerability is resolved by removing the vulnerable driver from the system. This CVE has not yet seen active exploitation. Microsoft has reported this vulnerability as Exploitation More Likely.
A race condition in certain AMD processors can occur when the AMD Secure Processor is initializing the Reverse Map Table. AMD has documented this vulnerability in an advisory.Microsoft has addressed this vulnerability because the AMD EPYC processors are used within Azure Confidential Computing products. According to Microsoft, updates are being developed but are not yet released. Microsoft has reported this vulnerability as Exploitation Less Likely.
A vulnerability in the Trusted Platform Module (TPM) 2.0 reference implementation was implemented by multiple vendors and requires updates. This vulnerability was first addressed in an advisory from the Trusted Computing Group in June 2025. At the same time libtpmsaddressed CVE-2025-49133 related to this and Intel released an advisory on the issue. The October patches from Microsoft address this vulnerability as well. Microsoft has reported this vulnerability as Exploitation Less Likely.
CVE Breakdown by Tag
While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also color coded to aid with identifying key issues.
Tag | CVE Count | CVEs |
Azure Connected Machine Agent | 2 | CVE-2025-47989, CVE-2025-58724 |
AMD Restricted Memory Page | 1 | CVE-2025-0033 |
Microsoft Brokering File System | 2 | CVE-2025-48004, CVE-2025-59189 |
Windows Device Association Broker service | 2 | CVE-2025-50174, CVE-2025-55677 |
Microsoft Exchange Server | 3 | CVE-2025-53782, CVE-2025-59249, CVE-2025-59248 |
.NET | 1 | CVE-2025-55247 |
ASP.NET Core | 1 | CVE-2025-55315 |
Agere Windows Modem Driver | 2 | CVE-2025-24990, CVE-2025-24052 |
Microsoft Configuration Manager | 2 | CVE-2025-55320, CVE-2025-59213 |
Windows Storage Management Provider | 1 | CVE-2025-55325 |
Windows BitLocker | 6 | CVE-2025-55333, CVE-2025-55338, CVE-2025-55330, CVE-2025-55332, CVE-2025-55337, CVE-2025-55682 |
Windows NTFS | 1 | CVE-2025-55335 |
Windows Cloud Files Mini Filter Driver | 2 | CVE-2025-55336, CVE-2025-55680 |
Windows NDIS | 1 | CVE-2025-55339 |
Windows Remote Desktop Protocol | 1 | CVE-2025-55340 |
Windows USB Video Driver | 1 | CVE-2025-55676 |
Windows DWM | 2 | CVE-2025-55681, CVE-2025-58722 |
Windows PrintWorkflowUserSvc | 8 | CVE-2025-55685, CVE-2025-55686, CVE-2025-55689, CVE-2025-55331, CVE-2025-55684, CVE-2025-55688, CVE-2025-55690, CVE-2025-55691 |
Windows Resilient File System (ReFS) | 1 | CVE-2025-55687 |
Windows Routing and Remote Access Service (RRAS) | 2 | CVE-2025-55700, CVE-2025-58717 |
Microsoft Windows | 1 | CVE-2025-55701 |
Microsoft Windows Speech | 2 | CVE-2025-58715, CVE-2025-58716 |
Connected Devices Platform Service (Cdpsvc) | 3 | CVE-2025-58719, CVE-2025-55326, CVE-2025-59191 |
Windows Bluetooth Service | 3 | CVE-2025-58728, CVE-2025-59290, CVE-2025-59289 |
Inbox COM Objects | 9 | CVE-2025-58732, CVE-2025-58735, CVE-2025-59282, CVE-2025-58730, CVE-2025-58731, CVE-2025-58733, CVE-2025-58734, CVE-2025-58736, CVE-2025-58738 |
Windows Core Shell | 2 | CVE-2025-59185, CVE-2025-59244 |
Windows Kernel | 10 | CVE-2025-59186, CVE-2025-59207, CVE-2025-50152, CVE-2025-55334, CVE-2025-55679, CVE-2025-55683, CVE-2025-55693, CVE-2025-55699, CVE-2025-59187, CVE-2025-59194 |
Microsoft Graphics Component | 5 | CVE-2025-59195, CVE-2025-49708, CVE-2016-9535, CVE-2025-59205, CVE-2025-59261 |
Windows SSDP Service | 1 | CVE-2025-59196 |
Software Protection Platform (SPP) | 1 | CVE-2025-59199 |
Data Sharing Service Client | 1 | CVE-2025-59200 |
Network Connection Status Indicator (NCSI) | 1 | CVE-2025-59201 |
Windows Remote Desktop Services | 1 | CVE-2025-59202 |
Windows Management Services | 2 | CVE-2025-59204, CVE-2025-59193 |
Windows Resilient File System (ReFS) Deduplication Service | 2 | CVE-2025-59206, CVE-2025-59210 |
Windows Push Notification Core | 2 | CVE-2025-59211, CVE-2025-59209 |
Microsoft Office SharePoint | 2 | CVE-2025-59228, CVE-2025-59237 |
Microsoft Office Excel | 9 | CVE-2025-59231, CVE-2025-59233, CVE-2025-59235, CVE-2025-59236, CVE-2025-59243, CVE-2025-59223, CVE-2025-59224, CVE-2025-59225, CVE-2025-59232 |
Microsoft Office | 3 | CVE-2025-59234, CVE-2025-59227, CVE-2025-59229 |
Windows Ancillary Function Driver for WinSock | 2 | CVE-2025-59242, CVE-2025-58714 |
JDBC Driver for SQL Server | 1 | CVE-2025-59250 |
Windows DWM Core Library | 2 | CVE-2025-59254, CVE-2025-59255 |
Microsoft Windows Codecs Library | 1 | CVE-2025-54957 |
Windows Local Session Manager (LSM) | 3 | CVE-2025-59257, CVE-2025-59259, CVE-2025-58729 |
Active Directory Federation Services | 1 | CVE-2025-59258 |
Windows Authentication Methods | 3 | CVE-2025-59277, CVE-2025-59275, CVE-2025-59278 |
Windows SMB Client | 1 | CVE-2025-59280 |
Windows Failover Cluster | 2 | CVE-2025-47979, CVE-2025-59188 |
Visual Studio | 2 | CVE-2025-54132, CVE-2025-55240 |
XBox Gaming Services | 1 | CVE-2025-59281 |
Windows NTLM | 1 | CVE-2025-59284 |
Microsoft Edge (Chromium-based) | 14 | CVE-2025-11212, CVE-2025-11211, CVE-2025-11209, CVE-2025-11205, CVE-2025-11460, CVE-2025-11458, CVE-2025-11215, CVE-2025-11216, CVE-2025-11213, CVE-2025-11210, CVE-2025-11207, CVE-2025-11208, CVE-2025-11206, CVE-2025-11219 |
GitHub | 1 | CVE-2025-59288 |
Confidential Azure Container Instances | 2 | CVE-2025-59291, CVE-2025-59292 |
Windows Taskbar Live | 1 | CVE-2025-59294 |
Internet Explorer | 1 | CVE-2025-59295 |
Azure Monitor Agent | 2 | CVE-2025-59494, CVE-2025-59285 |
Windows Remote Procedure Call | 1 | CVE-2025-59502 |
Virtual Secure Mode | 1 | CVE-2025-48813 |
Microsoft PowerShell | 1 | CVE-2025-25004 |
Windows Virtualization-Based Security (VBS) Enclave | 1 | CVE-2025-53717 |
Windows Digital Media | 2 | CVE-2025-53150, CVE-2025-50175 |
Windows Hello | 1 | CVE-2025-53139 |
Xbox | 1 | CVE-2025-53768 |
.NET, .NET Framework, Visual Studio | 1 | CVE-2025-55248 |
Windows Hyper-V | 1 | CVE-2025-55328 |
Windows DirectX | 2 | CVE-2025-55678, CVE-2025-55698 |
Windows Error Reporting | 2 | CVE-2025-55692, CVE-2025-55694 |
Windows WLAN Auto Config Service | 1 | CVE-2025-55695 |
NtQueryInformation Token function (ntifs.h) | 1 | CVE-2025-55696 |
Azure Local | 1 | CVE-2025-55697 |
Remote Desktop Client | 1 | CVE-2025-58718 |
Windows Cryptographic Services | 1 | CVE-2025-58720 |
Windows COM | 1 | CVE-2025-58725 |
Windows SMB Server | 1 | CVE-2025-58726 |
Windows Connected Devices Platform Service | 1 | CVE-2025-58727 |
Windows Remote Desktop | 1 | CVE-2025-58737 |
Windows File Explorer | 2 | CVE-2025-58739, CVE-2025-59214 |
Windows High Availability Services | 1 | CVE-2025-59184 |
Microsoft Windows Search Component | 3 | CVE-2025-59190, CVE-2025-59198, CVE-2025-59253 |
Storport.sys Driver | 1 | CVE-2025-59192 |
Windows ETL Channel | 1 | CVE-2025-59197 |
Windows StateRepository API | 1 | CVE-2025-59203 |
Windows MapUrlToZone | 1 | CVE-2025-59208 |
Microsoft Office Word | 2 | CVE-2025-59221, CVE-2025-59222 |
Microsoft Office Visio | 1 | CVE-2025-59226 |
Microsoft Office PowerPoint | 1 | CVE-2025-59238 |
Windows Health and Optimized Experiences Service | 1 | CVE-2025-59241 |
TCG TPM2.0 | 1 | CVE-2025-2884 |
Windows Remote Access Connection Manager | 1 | CVE-2025-59230 |
Microsoft Failover Cluster Virtual Driver | 1 | CVE-2025-59260 |
Games | 1 | CVE-2025-59489 |
Windows Server Update Service | 1 | CVE-2025-59287 |
Windows Secure Boot | 1 | CVE-2025-47827 |
Microsoft Defender for Linux | 1 | CVE-2025-59497 |
Azure Entra ID | 2 | CVE-2025-59218, CVE-2025-59246 |
Azure PlayFab | 1 | CVE-2025-59247 |
Copilot | 3 | CVE-2025-59252, CVE-2025-59272, CVE-2025-59286 |
Redis Enterprise | 1 | CVE-2025-59271 |
Azure Monitor | 1 | CVE-2025-55321 |
Other Information
At the time of publication, there were no new advisories included with the October Security Guidance.
