It’s set to be a busy October for system administrators after Microsoft issued security updates to fix 172 vulnerabilities including six classed as zero-days.
Three of the zero-day vulnerabilities in this month’s Patch Tuesday list are being actively exploited.
CVE-2025-59230 is a local elevation of privilege (EoP) bug in the Windows Remote Access Connection Manager.
“With no user interaction required, this will go straight into an attacker’s standard toolkit,” warned Rapid7 lead software engineer, Adam Barnett.
“There’s very little information in the advisory itself, but someone out there knows exactly how to exploit this vulnerability.”
CVE-2025-24990 is another EoP vulnerability, this time in the third-party Agere Modem driver (ltmdm64.sys) which ships with Windows. Interestingly, Microsoft has removed the driver rather than patch the flaw.
Ben McCarthy, lead cybersecurity engineer at Immersive, argued that the bug highlights the risks of legacy components.
“This driver, which supports hardware from the late 1990s and early 2000s, predates current secure development practices and has remained largely unchanged for years. Kernel-mode drivers operate with the highest system privileges, making them a primary target for attackers seeking to escalate their access,” he explained.
“Microsoft’s decision to remove the driver entirely, rather than issue a patch, is a direct response to the risks associated with modifying unsupported, third-party legacy code. Attempts to patch such a component can be unreliable, potentially introducing system instability or failing to address the root cause of the vulnerability completely.”
Read more on Patch Tuesday: Two Zero-Days Among Patch Tuesday CVEs This Month
The third zero-day actively being exploited in the wild is CVE-2025-47827: a secure boot bypass bug that affects IGEL OS, a third-party OS designed to provide virtual desktop infrastructure.
Kev Breen, senior director of threat research at Immersive, claimed a proof of concept has been available for this vulnerability since May, making exploitation trivial.
“The impacts of a secure boot bypass can be significant, as threat actors can deploy a kernel-level rootkit, gaining access to the IGEL OS itself and, by extension then tamper with the virtual desktops, including capturing credentials,” he added.
“It should be noted that this is not a remote attack, and physical access is typically required to exploit this type of vulnerability, meaning that ‘evil-maid’ style attacks are the most likely vector affecting employees who travel frequently.”
Three Publicly Disclosed Zero-Days
The three remaining zero-days have been publicly disclosed but so far not exploited. They are:
- CVE-2025-0033: a critical vulnerability in AMD EPYC processors using Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP), for which there’s not yet a patch
- CVE-2025-24052: an EoP bug in Agere Modem driver similar to CVE-2025-24990
- CVE-2025-2884: an out-of-bounds read vulnerability in TCG TPM2.0 that could result in information disclosure or denial of service
This is the last Patch Tuesday in which Windows 10 users will receive free updates. To continue receiving patches, consumers and business customers will need to pay for Microsoft’s Extended Security Updates (ESU) scheme.
Image credit: gguy / Shutterstock.com
