Microsoft’s October Patch Tuesday releases will fix 167 vulnerabilities, the highest number this year, including seven rated as critical that need immediate attention from CISOs.
Separately, SAP released 13 new security notes, as well as four updates to previously released security notes.
Among the critical Microsoft holes are:
WSUS RCE
CVE-2025-59287, which could allow remote code execution (RCE) in the Windows Server Update Service (WSUS). It was assigned a CVSSv3 score of 9.8 and rated critical, and has been assessed as ‘Exploitation More Likely’ according to Microsoft’s Exploitability Index. An attacker could exploit this vulnerability to gain RCE by sending a crafted event that leads to a deserialization of untrusted data.
This is just the third WSUS vulnerability patched as part of Microsoft Patch Tuesday since 2023, Tenable points out. But it’s the first RCE and the first to be assessed as more likely to be exploited.
“This vulnerability requires immediate CISO attention because it can compromise your entire patch management infrastructure,” said Mike Walters, president of Action1. “It is a critical deserialization flaw (CVSS 9.8) in WSUS that threatens the system responsible for distributing security patches across the organization.
Beyond performing urgent patching, teams should review patch management architecture and the network exposure of WSUS servers, he added. A compromised WSUS environment could allow attackers to deploy malicious “updates” to all managed endpoints, posing an existential threat to organizational security;
Microsoft Office RCE
CVE-2025-59227 and CVE-2025-59234, two critical remote code execution vulnerabilities in Microsoft Office.
An attacker could exploit these flaws through social engineering by sending a malicious Microsoft Office document file to an intended target, says Tenable. Successful exploitation would grant code execution privileges to the attacker.
These bugs take advantage of “Preview Pane,” meaning that the target doesn’t even need to open the file for exploitation to occur. To execute these flaws, an attacker would social engineer a target into previewing an email with a malicious Microsoft Office document attached.
Tenable also notes that despite being flagged as ‘Less Likely’ to be exploited, Microsoft says that the Preview Pane is an attack vector for both CVEs, which means exploitation does not require the target to open the file.
Agere modem driver flaws
Despite these vulnerabilities being rated critical, Satnam Narang, senior staff research engineer at Tenable, believes the two most notable vulnerabilities this month are in Agere Modem, a third-party modem driver that has been included in Windows operating systems for almost 20 years.
Why? Because one, CVE-2025-24990, is being exploited in the wild as a zero-day, and the other, CVE-2025-24052, was publicly disclosed prior to the release of the fix today. “Even if the modem is not in use, it remains vulnerable to exploitation, which could give an attacker administrator privileges,” says Narang.
“The fix for this flaw is telling,” he adds: Microsoft is removing the driver, ltmdm64.sys, from Windows operating systems through the October cumulative update. Network admins still using Agere modem hardware will find these devices are doorstops after applying the updates.
The active exploitation of CVE-2025-24990 in the Agere Modem driver shows the security risks of maintaining legacy components within modern operating systems,” commented Ben McCarthy, lead cyber security engineer at Immersive Labs. Threat actors are using this vulnerability as a second stage for their operations, he pointed out.
The attack chain typically begins with the actor gaining an initial foothold on a target system through common methods like a phishing campaign, credential theft, or by exploiting another vulnerability in a public-facing application. This driver, which supports hardware from the late 1990s and early 2000s, predates current secure development practices and has remained largely unchanged for years. Kernel-mode drivers like this operate with the highest system privileges, making them a primary target for attackers seeking to escalate their access, McCarthy said.
Holes in Windows RasMan, AMD Secure Processor
The other hole that Tenable’s Narang draws attention to is CVE-2025-59230, a zero-day elevation of privilege vulnerability in Windows Remote Access Connection Manager (also known as RasMan), a service used to manage remote network connections through virtual private networks (VPNs) and dial-up networks, which was also exploited in the wild.
“While RasMan is a frequent flyer on Patch Tuesday, appearing more than 20 times since January 2022, this is the first time we’ve seen it exploited in the wild as a zero day,” says Narang.
Walters of Action1 also drew attention to CVE-2025-0033, a vulnerability in the Secure Processor module of certain AMD CPUs. A malicious hypervisor could corrupt the reverse map table (RMP) during Secure Nested Paging (SNP) initialization, AMD said, potentially resulting in loss of SEV-SNP guest memory integrity. AMD has released mitigations.
“This vulnerability affects the security boundaries of AMD-based confidential computing infrastructure,” Walters said in an email to CSO. “While it is primarily a cloud provider concern, CISOs managing sensitive workloads in these environments should co-ordinate with their providers on remediation timelines. It could potentially undermine confidential computing guarantees for regulated or highly sensitive workloads.”
CISOs may want to ask their teams if they are using Azure’s Confidential Computing (ACC) AMD-based clusters, added Tyler Reguly, associate director of research and development at Fortra. Fixes for this hole are currently in development, so there is no resolution process available right now, he said. Instead, customers need to monitor their Azure Service Health Alerts to watch for notifications letting them know that they need to remove their ACC resources.
“If your teams are using ACC, you’ll want to check in regularly to ensure that they are paying attention for that reboot notification, so that you will ultimately know when this publicly disclosed vulnerability is resolved,” Reguly said.
Critical Windows Graphics flaw
There’s also a critical escalation of privilege vulnerability in Microsoft Graphics component that Immersive’s McCarthy says need priority patching. This hole, CVE-2025-49708, is a full virtual machine escape, he said and has a CVSS score of 9.9. “A successful exploit means an attacker who gains even low-privilege access to a single, non-critical guest VM can break out and execute code with SYSTEM privileges directly on the underlying host server. This failure of isolation means the attacker can then access, manipulate, or destroy data on every other VM running on that same host, including mission-critical domain controllers, databases, or production applications.”
No more Win10 updates
Admins are also reminded that today, October 14, is the last day security updates will be released for PCs running Windows 10. No new security updates will be distributed to users unless they are enrolled in the Extended Security Updates (ESU) program. Long-Term Servicing Branch (LTSB) support for Windows 10 Enterprise 2015 LTSB and Windows 10 IoT Enterprise LTSB 2015 also ended today.
Vulnerability in IGEL OS
Kevin Breen, senior director of threat research at Immersive, drew attention to CVE-2025-47827, a secure boot bypass vulnerability in IGEL OS, a Linux-based operating system that provides virtual desktop infrastructure. This hole in versions prior to 11.0 is being actively exploited in the wild, notes Breen, so admins should prioritize this patch.
A proof of concept has been publicly available since this vulnerability was disclosed in May, he said, so it would be trivial for threat actors to weaponize it.
“The impacts of a Secure Boot bypass can be significant,” he said, “as threat actors can deploy a kernel-level rootkit, gaining access to the IGEL OS itself and, by extension, then tamper with the Virtual Desktops, including capturing credentials. It should be noted that this is not a remote attack, and physical access is typically required to exploit this type of vulnerability, meaning that ‘evil-maid’ style attacks are the most likely vectors, affecting employees who travel frequently.”
SAP patches
Following on the heels of several fixes for critical insecure deserialization vulnerabilities in Netweaver AS Java in the last few months, SAP today pushed out an additional layer of protection. It’s detailed in Security Note #3660659 and carries a CVSS score of 10.0. It’s also described in an update to September’s CVE-2025-42944.
According to security provider Onapsis, the additional layer of protection is based on implementing a Java Virtual Machine-wide filter that prevents dedicated classes from being deserialized. The list of recommended classes and packages to block is divided into mandatory and optional sections.
“The deserialization issue, if not addressed, can be exploited (and has been successfully), to shut down a company and its ability to operate,” warned Paul Laudanski, director of security research at Onapsis.
If admins can’t patch this immediately, researchers at Pathlock advise network‑level isolation of the P4/P4S Java communications protocol as an interim measure.
Onapsis also notes that SAP Security Note #3647332, tagged with a CVSS score of 9.0, patches an unrestricted file upload vulnerability in SAP Supplier Relationship Management (SRM). Due to missing verification of file type or content, the application allows an authenticated attacker to upload arbitrary files. These files could include executables hosting malware which, when downloaded and executed by the user, could lead to high impact on confidentiality, integrity, and availability of the application.
Another critical issue, rated 9.8, is a directory traversal vulnerability in the SAP print service, SAPSprint. This hole, CVE-2025-42937, is an insufficient path validation which allows unauthenticated, remote directory traversal and potential overwriting of system files. There is no workaround, say researchers at Pathlock, so these updates must be deployed.
Of all of the SAP patches issued today, security teams should prioritize internet‑facing services and kernel‑level updates, advises Jonathan Stress at Pathlock, then work through application‑layer items with targeted mitigations and regression testing.
No Responses