The October 2025 Security Update Review

I’m currently in Cork, Ireland as we prepare for Pwn2Own Ireland, but that doesn’t stop patch Tuesday from coming. Take a break from your scheduled activities and let’s take a look at the latest security offerings from Adobe and Microsoft. IIf you’d rather watch the full video recap covering the entire release, you can check it out here:

Adobe Patches for October 2025

For October, Adobe released 12 bulletins addressing 36 unique CVEs in Adobe Connect, Commerce, Creative Cloud Desktop, Bridge, Animate, Experience Manager Screens, Substance 3D Viewer, Substance 3D Modeler, FrameMaker, Illustrator, Dimension, and Substance 3D Stager. Likely the most important of these is the update for Substance 3D Stager, which addresses five Critical-rated code execution bugs. The fix for Dimension corrects four code execution bugs. The patch for Illustrator contains only two bugs, but both lead to code execution. The update for Commerce should also be given priority as it fixes five different CVEs, including two security feature bypasses. The patch for FrameMaker fixes two Critical-rated code execution bugs.

The update for Connect has three bugs, but two are simply cross-site scripting (XSS) issues. The fix for Animate has four bugs, but only two are Critical. Three out of the four bugs in Substance 3D Viewer are rated Critical. The patch for Experience Manager Screens takes out three XSS bugs. The Substance 3D Modeler patch fixes a single code execution bug. There’s also just a single bug addressed by the Creative Cloud patch. And finally, the update for Bridge corrects one code execution and one memory leak.

None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release. All of the updates released by Adobe this month are listed as deployment priority 3.

Microsoft Patches for October 2025

This month, Microsoft released a monstrous 177 new CVEs in Windows and Windows Components, Office and Office Components, Microsoft Edge (Chromium-based), Azure, Hyper-V, .NET and Visual Studio, Github, Exchange Server, BitLocker, and Xbox. Of the patches released today, 16 are rated Critical, one is rated Moderate, and the rest are rated Important in severity. One of these CVEs came through the Trend ZDI program. Counting the third-party updates listed in the release, it brings to total number of CVEs to a staggering 195.

This release represents the largest monthly release of all time for Microsoft and puts them one above the number of CVEs they released last year. With two months left in 2025, this will at least be the second busiest year of security patches from Microsoft with an outside shot of passing 2020 (1,250 total CVEs). This month’s huge volume could be related to the end of Windows 10 support. Microsoft could be pushing as much as possible for those still running the OS. Otherwise, it seems that large releases are the new normal for Microsoft. Let’s hope these are quality updates that do not cause harm or regressions in other software. The last thing we need is (more) people afraid of applying security patches.

Microsoft lists three bugs under active attack at the time of releases and three others as publicly known. Let’s take a closer look at some of the more interesting updates for this month, starting with the bugs under active attack:

-    CVE-2025-24990 - Windows Agere Modem Driver Elevation of Privilege Vulnerability
This bug allows attackers to elevate to administrative privileges on systems where the Agere modem drivers are installed. The problem is that these drivers ship natively on supported Windows versions. Since these are legacy drivers, the solution is to remove the offending files. Microsoft gives no indication of how widespread these attacks are, but considering the vulnerable files are on all Windows systems, you should treat this as a broad attack and update quickly.

-    CVE-2025-59230 - Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
This privilege escalation bug allows threat actors to execute their code as SYSTEM on an affected target. These types of bugs are often paired with a code execution bug to completely take over a system. Again, there’s no indication on how widespread these attacks may be, so test and deploy these patches rapidly – especially since all versions of Windows are impacted.

-    CVE-2025-47827 - MITRE CVE-2025-47827: Secure Boot bypass in IGEL OS before 11
This one is a bit of an odd duck, but I’m fascinated by it. IGEL is a Linux-based OS designed to be app centric and modular. According to the vendor, apps can be delivered irrespective of the underlying OS. If anything, that makes this even more intriguing. Somehow, an attacker was able to get physical access to a device in this configuration and bypass the secure boot feature to gain access. Marvelous. I would suspect this to be an extremely targeted attack, but this impacts all supported versions of Windows, so don’t sleep on the patch.

-    CVE-2025-59287 - Windows Server Update Service (WSUS) Remote Code Execution Vulnerability
This bug is not listed as being under active attack, but I suspect it will be targeted soon. This is a CVSS 9.8 bug that allows remote, unauthenticated attackers to exploit code with elevated privileges without user interaction. That means this is wormable between affected WSUS servers. Since WSUS remains a critical piece of anyone’s infrastructure, it’s an attractive target for those looking to do harm. If you use WSUS, don’t hesitate to test and deploy this update quickly.

Here’s the full list of CVEs released by Microsoft for October 2025:

* Indicates this CVE had been released by a third party and is now being included in Microsoft releases.

† Indicates further administrative actions are required to fully address the vulnerability.

Looking at the remaining Critical patches, there are multiple Office patches leading to code execution where the Preview Pane is an attack vector. These continue to haunt Microsoft month after month, so hopefully they can know these out soon. There’s a bug in the Graphics component that rates a CVSS 9.9, but the description does little to detail why this rating is so high. There are several Azure bugs listed in this release, but they have already been resolved and require to further action. An Azure bug you will need to patch is in the Container Instances and would allow and attacker to execute code in the targeted guest environment. That’s the same for the final Critical-rated bug in the Azure Compute Gallery. There’s also a third-party AMD bug that should get some attention. According to Microsoft, “Updates to mitigate this vulnerability in Azure Confidential Computing's (ACC) AMD-based clusters are being developed but are not yet complete.” However, it is public, so watch for any news about exploitation.

Moving on to the other code execution bugs, there are only around 30 in this month’s release and most of these are simple open-and-own in various Office components. In these cases, the Preview Pane is not an attack vector. The bugs in SharePoint Server to require authentication, but the level of privileges needed is not high. There’s a bug in the RDP client, but it requires connecting to a malicious RDP server to exploit. Stepping into the wayback machine, we see several bugs in the Internet Information Services (IIS) that could lead to code execution if a user opened a maliciously crafted file. That’s the same exploit scenario for the bug in the Remote Desktop Protocol. Finally, Microsoft celebrates Halloween by resurrecting Internet Explorer one more time for a patch. Just when you thought IE was gone, it always returns – like Michael Myers chasing the Final Girl, it’s unstoppable.

This month’s batch of Elevation of Privilege (EoP) makes up over half of this release with over 80 patches. Fortunately, most of these bugs lead to SYSTEM-level code execution or administrative privileges if an authenticated user runs specially crafted code. Others could lead to elevating levels of code execution integrity – moving from Low to Medium integrity or Medium to Local System for code execution. I should point out that the updates for Bluetooth were silently patched in September and are now just being documented. This is a terrible practice for many reasons, but I won’t go down that rabbit hole right now. Notable exceptions to these are the bugs in Exchange Server. An attacker could use these bugs to take over the mailboxes of all Exchange users, read emails, or download attachments. The bug in the Azure Monitor Agent would allow a threat actor to any read a file on the system with NT SYSTEM privileges from an ARC-enabled VM. Two of the kernel bugs allow any user to crash a system, which sounds like a DoS to me rather than an EoP. There are a couple of bugs that require extra work, too. The vulnerability in Azure Connected Machine Agent need to upgrade to the latest version. For the Virtual Based Security (VBS) enclave, in addition to the patch, you need to apply the Guidance for blocking rollback of Virtualization-based Security (VBS) related security updates, which has been updated to account for the latest changes. Finally, the bug in the Xbox gaming service allows an attacker to delete a specific file, which could be turned into an EoP by those who know.

There are 10 security feature bypass (SFB) patches in this month’s release, with six of those being bypasses of Windows BitLocker. Obviously, these require physical access to a device, but considering one of the actively attacked bugs this month has the same constraint, I wouldn’t ignore these. The bug in Windows Hello could bypass facial or fingerprint recognition. The bypass in ASP.NET could smuggle an HTTP request to bypass front-end security controls or hijack other users’ credentials. For this patch, you’ll also need to take extra steps to ensure your ASP.NET Core application is protected. These steps are listed in the bulletin and vary based on implementation. The bug in RDP could allow an attacker to bypass RDP authentication. The last SFB for the month is in the kernel and allows attackers to decrypt driver settings that would otherwise be obfuscated.

The October release contains over a dozen information disclosure updates, and as expected, most of these bugs only result in info leaks consisting of unspecified memory contents or memory addresses. There are (of course) some notable exceptions. The bug in Cryptographic services could leak secrets or privileged information belonging to the user of the affected application. The vulnerability in ADFS could allow an attacker to obtain Single Sign-On (SSO) cookies in ADFS logs. The bug in the Failover Cluster component could expose any data that is put in the system logs on the Compute Instance including cleartext passwords. In addition to the patch, you should have all impacted users change their passwords. The bug in the Windows Push Notifications exposes memory addresses belonging to the “EventLog” Windows service. There’s a flaw in .NET, .NET Framework, and Visual Studio that could expose PII on affected systems. Finally, the bug in the Taskbar could expose “secrets or privileged information” – for whatever that’s worth.

This month contains 10 different spoofing bugs that require attention (and three that don’t). The bug in the JDBC Driver for SQL allows attackers to trick a target into connecting to a malicious server. There’s not much data about the Data Sharing bug, but authentication is required. The Exchange bug just states, “unauthorized attacker to perform spoofing over a network.” That’s the same description for the NTLM Hash Disclosure and File Explorer bugs. The bug in Confidential Virtual Machines restricts that statement to local users, and the Playwright bug restricts it to adjacent networks.

There are 10 patches for Denial-of-Service (DoS) bugs in this release. As usual, Microsoft provides no actionable information about these bugs. Instead, they simply state that an attacker could deny service over a network (or locally) to that component. The only patch of note is for Office, which states that the Preview Pane is an attack vector – although Microsoft also notes user interaction is required, so it’s not clear how the DoS is triggered.

There’s a Tampering bug in the SMB client, but it requires a machine-in-the-middle (MITM) to be exploited. The October release is rounded out with a cross-site scripting (XSS) bug in Dynamics 365 (on-prem).

No new advisories are being released this month.

Looking Ahead

The next Patch Tuesday of 2025 will be on November 11, and assuming I survive Pwn2Own Ireland, I’ll be back then with my analysis and thoughts about the release. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!