
Microsoft on Tuesday released fixes for as many as 183 security flaws across its products, after the tech giant officially ended support for the Windows 10 operating system unless the PC was enrolled in the Extended Security Updates (ESU) program. This includes three vulnerabilities that are being exploited in the wild.
Of the 183 vulnerabilities, 8 are CVEs not published by Microsoft. There were 165 flaws rated as ‘important’, followed by 17 flaws rated ‘severe’ and one flaw rated ‘medium’. The majority are related to privilege elevation vulnerabilities (84), with the remainder being remote code execution (33), information disclosure (28), spoofing (14), denial of service (11), and security feature bypass (11).
This update is in addition to the 25 vulnerabilities that Microsoft has addressed in its Chromium-based Edge browser since the release of the September 2025 Patch Tuesday update.
Two Windows zero-days that are actively being exploited are:
CVE-2025-24990 (CVSS Score: 7.8) – Windows Agere Modem Driver (‘ltmdm64.sys’) Elevation of Privilege Vulnerability CVE-2025-59230 (CVSS Score: 7.8) – Windows Remote Access Connection Manager (RasMan) Elevation of Privilege Vulnerability

Microsoft said both issues could allow an attacker to execute code with elevated privileges, but there is currently no indication of how they could be exploited or how widespread they might be. In the case of CVE-2025-24990, the company said it plans to remove the driver entirely rather than issuing patches for traditional third-party components.
The security flaw has been described as “dangerous” by Alex Vovk, CEO and co-founder of Action1, because it is rooted in legacy code that is installed by default on all Windows systems, regardless of whether the associated hardware is present or in use.
“The vulnerable driver ships with every version of Windows up to Server 2025,” said Adam Barnett, principal software engineer at Rapid7. “Perhaps your fax modem uses a different chipset and therefore does not require the Agere driver. Maybe you simply discovered your email. Too bad. Your PC is still vulnerable and a local attacker with a least-privileged account could escalate to administrator status.”
CVE-2025-59230 is the first RasMan vulnerability to be exploited as a zero-day, according to Satnam Nanang, senior staff research engineer at Tenable. Microsoft has patched more than 20 flaws in the component since January 2022.
The third vulnerability exploited in the actual attack concerns the secure boot bypass case in IGEL OS before 11 (CVE-2025-47827, CVSS score: 4.6). Details of this flaw were first made public by security researcher Zach Didcott in June 2025.
“The impact of secure boot bypass can be significant, as a threat actor could deploy a kernel-level rootkit to gain access to the IGEL OS itself and, in turn, perform tampering with the virtual desktop, including capturing credentials,” said Kev Breen, senior director of threat research at Immersive.
“Please note that this is not a remote attack and physical access is typically required to exploit this type of vulnerability, meaning it is an ‘evil maid’ style attack that is most likely to impact employees who travel frequently.”
All three issues have since been added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog, and federal agencies are required to patch them by November 4, 2025.
Other notable critical vulnerabilities include Windows Server Update Service (WSUS) remote code execution (RCE) bug (CVE-2025-59287, CVSS score: 9.8), Trusted Computing Group (TCG) TPM2.0 reference implementation CryptHmacSign helper function out-of-bounds read vulnerability (CVE-2025-2884, CVSS score: 5.3), and Windows RCE in URL parsing (CVE-2025-59295, 8.8).
“An attacker could exploit this by carefully constructing a malicious URL,” said Ben McCarthy, principal cybersecurity engineer at Immersive. “Overflowed data can be designed to overwrite critical program data, such as function pointers and object virtual function table (vtable) pointers.”

“When the application later attempts to use this corrupted pointer, instead of calling a legitimate function, it redirects the program’s execution flow to an attacker-controlled memory address. This allows the attacker to execute arbitrary code (shellcode) on the target system.”
The two vulnerabilities with the highest CVSS scores in this month’s update are related to Microsoft Graphics Component Privilege Escalation Flaw (CVE-2025-49708, CVSS Score: 9.9) and ASP.NET Security Feature Bypass (CVE-2025-55315, CVSS Score: 9.9).
Although CVE-2025-55315 requires an attacker to first authenticate, it can be exploited to surreptitiously bypass security controls and perform malicious actions by surreptitiously feeding a second malicious HTTP request within the body of the first authenticated request.
“Organizations must prioritize patching this vulnerability because it defeats the core security promise of virtualization,” McCarthy said of CVE-2025-49708, characterizing it as a high-impact flaw that could lead to a complete virtual machine (VM) escape.
“A successful exploit would mean that an attacker could compromise even a single non-critical guest VM with low privilege access and execute code with SYSTEM privileges directly on the underlying host server. This failure of isolation means the attacker could access, manipulate, or destroy data on all other VMs running on the same host, such as mission-critical domain controllers, databases, and production applications.”
Source link