Microsoft fixed two actively exploited Windows zero-day vulnerabilities – including one in every Windows version.
Introduction
Microsoft’s Patch on Tuesday update was massive, addressing 183 security flaws across Windows and related products. This release also coincided with the official end of free support for Windows 10, marking a notable transition as organizations move to newer platforms. Among the patches were fixes for three vulnerabilities already under active attack (so-called “zero-day” flaws that were exploited before patches became available). Two of these zero-days reside in core Windows components and are particularly alarming – one involves a legacy driver present on every Windows installation, and another targets an essential remote access service.
Two Actively Exploited Windows Zero-Day Flaws
Microsoft disclosed two Windows vulnerabilities that attackers had been exploiting in the wild prior to the patch release. Both are elevation of privilege (EoP) flaws – meaning they allow a user or malware with limited access to gain administrator-level control over the system. Below we explain each zero-day and why it’s so significant.
Legacy Modem Driver Vulnerability (CVE-2025-24990)
CVE-2025-24990 is an EoP vulnerability in an old Agere Systems modem driver (ltmdm64.sys) that has shipped by default with every Windows version in recent memory. In fact, this vulnerable driver comes pre-installed on all Windows systems, even if the PC has no fax/modem hardware connected. This ubiquity makes the flaw especially dangerous – an attacker who already has a foothold (even a low-privilege user account) could exploit the bug to escalate to full administrator rights on virtually any Windows machine.
Microsoft noted that attackers could use this driver bug to execute malicious code with elevated privileges (i.e. high-level system access). Because the driver is part of legacy software and not essential for modern systems, Microsoft’s response is unusual: rather than issuing a typical code patch, they removed the buggy driver entirely via the update. (Organizations using older fax/modem devices should be aware that those might stop working as a result of the driver’s removal.) Security experts have labeled this vulnerability “dangerous” due to its deep roots in legacy code that’s present regardless of whether the associated hardware is in use. In other words, even if your PC never used dial-up or fax features, it still has this driver lurking and is vulnerable until patched.
It’s worth noting that Microsoft attributed discovery of the issue to external researchers (citing Fabian Mosch and Jordan Jay), highlighting that this was not an internally found bug. Ultimately, CVE-2025-24990 affects all supported versions of Windows, up to Windows Server 2025, meaning the attack surface is extremely broad.
Remote Access Service Vulnerability (CVE-2025-59230)
The second zero-day, CVE-2025-59230, is an EoP flaw in the Windows Remote Access Connection Manager service, commonly known as RasMan. RasMan is a Windows component responsible for handling dial-up and VPN connections. This vulnerability is significant because it’s reportedly the first known RasMan flaw to be exploited as a zero-day. (Microsoft had patched over 20 RasMan-related issues since 2022, but none of those were observed being actively abused.)
In this case, an attacker who already has some level of access to a Windows system could exploit RasMan’s improper access controls to gain SYSTEM-level privileges (the highest level of access in Windows). Microsoft’s advisory indicated that a certain amount of preparation or effort is required to abuse this RasMan bug, which suggests the exploit might not be trivial for all attackers. Nevertheless, because RasMan runs on many Windows machines (especially those using built-in VPN or remote access features), this vulnerability presented a ready target for malware or malicious users to elevate privileges and take over the system. Microsoft quickly issued a fix to tighten RasMan’s access control and stop the ongoing exploitation.
As with the modem driver bug, CVE-2025-59230 has a CVSS severity score of 7.8, indicating high impact. While details on the exact exploitation method have not been publicly disclosed by Microsoft (likely to prevent copycat attacks), the existence of active attacks means organizations should patch this flaw immediately. Privilege escalation vulnerabilities like these are often leveraged in the second stage of an attack – for example, a hacker might first infect a machine via malware or phishing (gaining user-level access), then use an exploit like this to fully commandeer the system. Patching closes that door.
Secure Boot Bypass in IGEL OS (CVE-2025-47827)
Beyond the Windows-specific bugs, patch updates also included a fix for a Secure Boot bypass vulnerability (CVE-2025-47827) in IGEL OS, a Linux-based operating system often used on thin clients and virtual desktop endpoints. This flaw was actively exploited in real-world attacks as well. While not a Windows vulnerability per se, Microsoft coordinated on this fix (likely because Secure Boot trust is managed through Windows and UEFI firmware). The vulnerability, first disclosed by researcher Zack Didcott in June 2025, could allow an attacker with physical access to an IGEL device to bypass Secure Boot protections and load unauthorized software.
In practical terms, a hacker could use this weakness to install a kernel-level rootkit on an IGEL OS device, gaining complete control over the system and any virtual desktop sessions it hosts. For instance, they might tamper with virtual desktop environments or even capture user credentials. The catch is that exploiting this Secure Boot bug isn’t something that can be done remotely – it requires hands-on access to the machine. This means the threat is largely from “evil maid” scenarios (where an attacker gains access to a device left unattended, such as in a hotel or airport). While the average office worker wouldn’t be directly targeted this way, organizations with traveling employees or publicly exposed devices should take note. This vulnerability’s inclusion in active patching lists shows that determined adversaries have used it, so it’s not just theoretical. (All three exploited vulnerabilities discussed above – the two Windows EoPs and this Secure Boot bypass – have been added to CISA’s Known Exploited Vulnerabilities catalog, underscoring their severity.)
Other Critical Vulnerabilities Patched in October 2025
In addition to the zero-days above, Microsoft’s October 2025 updates addressed numerous other notable security issues. Some of the most critical patches include:
- Windows Server Update Services (WSUS) Remote Code Execution – CVE-2025-59287 (CVSS 9.8): A critical vulnerability in WSUS (the system administrators use to distribute patches within organizations) could allow an attacker to execute code remotely on the WSUS server. Given that a compromised update server can potentially push malicious updates to many clients, this fix was especially important for enterprise security.
- Windows URL Parsing Memory Overflow – CVE-2025-59295 (CVSS 8.8): This patch fixes an issue in Windows’ URL handling code that could be triggered by a specially crafted malicious URL. An attacker can exploit it to overflow memory and overwrite critical data structures, ultimately executing arbitrary code on the target system. In plain terms, just processing a booby-trapped link or file path could allow hackers to run malware on your PC. Researchers at Immersive Labs noted that an overflow in URL parsing can redirect program execution to attacker-controlled code, effectively giving them control of the machine.
- Microsoft Graphics Component Privilege Escalation – CVE-2025-49708 (CVSS 9.9): This is one of the two highest-severity bugs of the month. It’s an EoP flaw in the Microsoft Graphics Component that was highlighted for its potential to break virtualization barriers. According to experts, exploiting this vulnerability could lead to a full virtual machine (VM) escape: an attacker who compromises a single virtual machine could leap out and execute code on the underlying host server with SYSTEM privileges. This is a nightmare scenario for cloud providers or anyone running multiple VMs on one host, as it undermines the isolation between different customers or services. Organizations using virtualization should prioritize this patch to uphold the “walls” between VMs.
- ASP.NET Core Security Feature Bypass – CVE-2025-55315 (CVSS 9.9): Tied with the above for severity, this flaw affects Microsoft’s web application framework. While it requires the attacker to have already authenticated to a web application, it enables them to smuggle malicious HTTP requests such that they bypass security checks. In effect, an attacker could hide a second, unauthorized command inside a legitimate request, fooling the system and carrying out actions they shouldn’t be allowed to do. Web administrators should apply this update promptly, as it closes a hole that could lead to data breaches or unauthorized operations on web servers.
Conclusion
It’s clear that Microsoft’s patches was extensive, spanning everything from desktop Windows components to server and developer frameworks. The vast majority of the 183 vulnerabilities fixed were categorized as “Important” severity (165 of them) with 17 rated Critical. Over 80 of the flaws were elevation-of-privilege issues – consistent with a wider trend where attackers first gain minimal access and then seek to elevate rights – and around 33 were remote code execution bugs. This highlights the need for a defense-in-depth strategy: not only preventing break-ins, but also limiting what an attacker can do if they get a foot in the door.
