Stay ahead of critical vulnerabilities with our breakdown of this month's Microsoft security patches.
Microsoft's October 2025 Patch Tuesday addresses a staggering 175 security vulnerabilities, including 6 zero-day vulnerabilities with 2 being actively exploited in the wild. This monthly security update includes 9 critical-severity flaws and 123 important-severity vulnerabilities that demand immediate attention from IT administrators and security teams.
Organizations must prioritize patching efforts to protect against actively exploited vulnerabilities targeting Windows drivers, remote access services, and critical infrastructure components like Windows Server Update Services (WSUS).
| Metric | Count |
|---|---|
| Total CVEs Patched | 175 |
| Zero-Day Vulnerabilities | 6 |
| Actively Exploited Zero-Days | 2 |
| Critical Severity | 9 |
| Important Severity | 123 |
| Moderate Severity | 43 |
Severity: High (CVSS 7.8)
Status: Actively Exploited in the Wild
Attack Vector: Local
The Windows Agere Modem Driver contains an elevation of privilege vulnerability that attackers are actively exploiting as a second-stage payload following initial system compromise. Once exploited, threat actors can escalate privileges to gain deeper access to compromised systems.
Why This Matters: This vulnerability is being leveraged in active attack campaigns, making it a top priority for patching across all Windows environments.
Mitigation: Apply October 2025 security updates immediately to all Windows systems.
Severity: High (CVSS 7.8)
Status: Actively Exploited in the Wild
Attack Vector: Local
This vulnerability in the Windows Remote Access Connection Manager allows local attackers to exploit improper access controls to gain SYSTEM-level privileges. Attackers with initial access can leverage this flaw to achieve complete control over affected systems.
Why This Matters: Remote access services are critical infrastructure components, and privilege escalation vulnerabilities pose significant risks to enterprise environments.
Mitigation: Prioritize patching for systems with Remote Access Services enabled, particularly in VPN and remote work infrastructures.
Severity: High (CVSS 7.8)
Status: Publicly Known (Not Yet Exploited)
Attack Vector: Local
A second Agere Modem Driver vulnerability allows attackers to gain administrative privileges on affected systems. While not yet exploited in the wild, public disclosure increases exploitation risk.
Severity: Varies
Status: Publicly Known
Attack Vector: Local
This vulnerability in the Trusted Platform Module (TPM) 2.0 specification affects the CryptHmacSign function, potentially allowing attackers to read sensitive memory contents or extract cryptographic secrets.
Impact: Organizations relying on TPM for BitLocker encryption, secure boot, or credential protection should prioritize this update.
Mitigation: Update TPM firmware and apply Windows security patches to affected systems.
Severity: Critical (CVSS 9.8)
Attack Vector: Network (Remote, Unauthenticated)
User Interaction: None Required
The Threat: This critical vulnerability allows remote, unauthenticated attackers to execute arbitrary code with elevated privileges on vulnerable WSUS servers. The vulnerability is wormable, meaning it can spread automatically between affected WSUS servers without user interaction.
Why This Is Critical:
Who's Affected: Organizations using Windows Server Update Services for patch management.
Mitigation Priority: IMMEDIATE - Update all WSUS servers as soon as possible.
Severity: High
Attack Vector: User must open malicious file
Microsoft patched critical use-after-free vulnerabilities in Office and Excel that enable remote code execution when users open specially crafted documents.
CVE-2025-59234: Microsoft Office use-after-free RCE
CVE-2025-59236: Microsoft Excel use-after-free RCE
Attack Scenario: Attackers can craft malicious Office or Excel files and distribute them via email phishing campaigns. When opened, these files execute arbitrary code on the victim's system.
Mitigation:
Severity: High (CVSS 8.8)
Attack Vector: Network
Two remote code execution vulnerabilities affect SharePoint Server, allowing authenticated attackers to execute arbitrary code on vulnerable SharePoint installations.
Who's Affected: Organizations running SharePoint Server for collaboration and document management.
Mitigation: Update SharePoint Server deployments immediately.
Severity: Critical (CVSS 9.6)
Platform: Azure Cloud
A critical authentication bypass vulnerability in Azure Entra ID (formerly Azure Active Directory) could allow attackers to circumvent authentication mechanisms.
Impact: Unauthorized access to cloud resources and identity management systems.
Mitigation: Azure customers should verify automatic updates have been applied to their Entra ID tenants.
Azure Customers: Review the Azure Security Updates page for service-specific guidance and ensure cloud resources are properly configured.
Severity: Varies
Year Discovered: 2016
Microsoft patched a legacy LibTIFF heap buffer overflow vulnerability that has existed since 2016. This vulnerability affects TIFF image processing libraries.
Why Patching Old Vulnerabilities Matters: Legacy vulnerabilities can still be exploited in modern systems, especially in components that haven't been updated or are rarely reviewed.
Important: Windows 10 reached its end-of-life in October 2025. Organizations still running Windows 10 should:
Security Risk: Running unsupported operating systems dramatically increases vulnerability to cyberattacks.
The October 2025 Patch Tuesday represents a significant security update with multiple critical vulnerabilities requiring immediate attention. The combination of actively exploited zero-days, critical remote code execution flaws, and wormable WSUS vulnerability makes this month's patching cycle particularly urgent.
Organizations must prioritize patching efforts, focusing first on actively exploited vulnerabilities and critical infrastructure components like WSUS servers. With 175 total vulnerabilities addressed, comprehensive patch management and testing are essential to maintaining security posture while ensuring business continuity.
Key Takeaway: Don't delay patching. The presence of actively exploited zero-days means attackers are already leveraging these vulnerabilities in the wild. Every day without patches increases your organization's risk exposure.
Last Updated: October 15, 2025
Next Patch Tuesday: November 12, 2025
October 14, 2025 is the last day Windows 10 receives free monthly security updates. The final cumulative security update will be released for all supported versions, including 22H2. After this date, Windows 10 devices will no longer receive:
What This Means for Users
Recommended Actions
| Vendor/Product | Vulnerability Details | CVE(s) | Severity/CVSS | Status/Notes |
|---|---|---|---|---|
| Google Chrome | Actively exploited zero-day in V8 JavaScript engine; heap buffer overflow in ANGLE | CVE-2025-1058, CVE-2025-10502 | - | Patched |
| Figma | Command injection in figma-developer-mcp server | CVE-2025-53967 | CVSS 7.5 | Patched in version 0.6.3 |
| Unity | High-severity vulnerability affecting Android, Windows, macOS, Linux | CVE-2025-59489 | CVSS 8.4 | No exploitation observed |
| Cisco IOS/IOS XE | Stack-based buffer overflow in SNMP subsystem (zero-day) | CVE-2025-20352 | - | Actively exploited; no workarounds |
| Cisco ASA/FTD | Two actively exploited RCE vulnerabilities | CVE-2025-20333, CVE-2025-20362 | - | 48,000+ instances exposed; large-scale attacks ongoing |
| Oracle E-Business Suite | Zero-day used in Clop ransomware data theft campaign; affects versions 12.2.3–12.2.14 | CVE-2025-61882 | - | Actively exploited |
| OpenSSL | Potential private key recovery and buffer overflows | CVE-2025-9230, CVE-2025-9231, CVE-2025-9232 | Medium | Patched in 3.5.4, 3.4.3, 3.3.5, 3.2.6, 3.0.18, 1.0.2zm, 1.1.1zd |
| Apple iOS/macOS | 50+ vulnerabilities fixed; ImageIO zero-day targeting WhatsApp users | CVE-2025-43300 | - | Patches released across all major platforms |