Microsoft has released its October 2025 Patch Tuesday update, addressing a massive 172 security vulnerabilities across its product ecosystem.
The security bulletin is highlighted by fixes for four zero-day flaws, two of which are confirmed to be actively exploited in the wild.
The patches primarily tackle a significant number of elevation of privilege and remote code execution vulnerabilities, underscoring the urgent need for organizations to apply these updates promptly to defend against emerging cyber threats.
Zero-Day Exploits and Critical Execution Bugs
The most immediate threats in this month’s release are the two zero-day vulnerabilities being actively used by attackers.
One of these, tracked as CVE-2025-59230, is a privilege escalation flaw in the Windows Remote Access Connection Manager that allows local attackers to gain elevated system rights.
In addition to the zero-days, Microsoft patched several critical remote code execution (RCE) vulnerabilities.
Among them are CVE-2025-59234 and CVE-2025-59236, use-after-free bugs in Microsoft Office and Excel that could grant attackers full system control if a user opens a specially crafted malicious file.
Another critical RCE, CVE-2025-59287, affects the Windows Server Update Service (WSUS) and could be leveraged in supply-chain attacks.
Pervasive Privilege Escalation Flaws
Elevation of privilege vulnerabilities represent the largest category in this update, with 80 distinct flaws being fixed. These bugs allow attackers who have already gained initial access to a system to escalate their permissions, often to the administrator level.
Notable examples include CVE-2025-49708 in the Microsoft Graphics Component, which can be exploited over a network, and a series of bugs in the Windows PrintWorkflowUserSvc (CVE-2025-55684 through 55691) that expose a common vector in enterprise environments.
Cloud infrastructure is also affected, with critical privilege escalation flaws like CVE-2025-59291 and CVE-2025-59292 patched in Azure Container Instances and Compute Gallery.
Diverse Vulnerabilities Across the Ecosystem
The October update addresses a wide spectrum of security issues beyond RCE and privilege escalation. The patches cover 28 information disclosure flaws, 11 security feature bypasses, and 10 spoofing vulnerabilities.
Key fixes include a Secure Boot bypass (CVE-2025-47827) and a publicly disclosed information leak in TPM 2.0 modules (CVE-2025-2884). Microsoft also addressed spoofing risks in File Explorer and Exchange Server, a security feature bypass in BitLocker (CVE-2025-55682) that can be exploited with physical access, and denial-of-service flaws in components like DirectX.
The sheer breadth of affected products, from the Windows Kernel to Azure services, reinforces the importance of comprehensive and timely patch management.
| CVE ID | Vulnerability Details | Type | Severity |
|---|---|---|---|
| CVE-2016-9535 | tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka “Predictor heap-buffer-overflow.” | Remote Code Execution | Critical |
| CVE-2025-2884 | CVE-2025-2884 is regarding a vulnerability in CG TPM2.0 Reference implementation’s CryptHmacSign helper function that is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key’s algorithm. | Information Disclosure | Important |
| CVE-2025-47827 | In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image. | Security Feature Bypass | Important |
| CVE-2025-49708 | Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges over a network. | Elevation of Privilege | Critical |
| CVE-2025-55680 | Time-of-check time-of-use (toctou) race condition in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55682 | Improper enforcement of behavioral workflow in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack. | Security Feature Bypass | Important |
| CVE-2025-55683 | Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-55684 | Use-after-free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55688 | Use-after-free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55690 | Use-after-free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55691 | Use after free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55692 | Improper input validation in Windows Error Reporting allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55693 | Use after free in Windows Kernel allows an unauthorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55694 | Improper access control in Windows Error Reporting allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55695 | Out-of-bounds read in Windows WLAN Auto Config Service allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-55696 | Time-of-check time-of-use (toctou) race condition in NtQueryInformation Token function (ntifs.h) allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55697 | Heap-based buffer overflow in Azure Local allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-55698 | Null pointer dereference in Windows DirectX allows an authorized attacker to deny service over a network. | Denial of Service | Important |
| CVE-2025-55699 | Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-58714 | Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-58718 | Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network. | Remote Code Execution | Important |
| CVE-2025-58720 | Use of a cryptographic primitive with a risky implementation in Windows Cryptographic Services allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-58724 | Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-58725 | Heap-based buffer overflow in Windows COM allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-58726 | Improper access control in Windows SMB Server allows an authorized attacker to elevate privileges over a network. | Elevation of Privilege | Important |
| CVE-2025-58727 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-58729 | Improper validation of specified type of input in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network. | Denial of Service | Important |
| CVE-2025-58730 | Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-58731 | Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-58733 | Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-58734 | Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-58736 | Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-58737 | Use after free in Windows Remote Desktop allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-58738 | Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-58739 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network. | Spoofing | Important |
| CVE-2025-59184 | Exposure of sensitive information to an unauthorized actor in Windows High Availability Services allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-59187 | Improper input validation in Windows Kernel allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59188 | Exposure of sensitive information to an unauthorized actor in Windows Failover Cluster allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-59189 | Use after free in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59190 | Improper input validation in Microsoft Windows Search Component allows an unauthorized attacker to deny service locally. | Denial of Service | Important |
| CVE-2025-59191 | Heap-based buffer overflow in Connected Devices Platform Service (Cdpsvc) allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59192 | Buffer over-read in Storport.sys Driver allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59193 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Management Services allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59194 | Use of uninitialized resource in Windows Kernel allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59197 | Insertion of sensitive information into log file in Windows ETL Channel allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-59198 | Improper input validation in Microsoft Windows Search Component allows an authorized attacker to deny service locally. | Denial of Service | Important |
| CVE-2025-59203 | Insertion of sensitive information into log file in Windows StateRepository API allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-59205 | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59208 | Out-of-bounds read in Windows MapUrlToZone allows an unauthorized attacker to disclose information over a network. | Information Disclosure | Important |
| CVE-2025-59209 | Exposure of sensitive information to an unauthorized actor in Windows Push Notification Core allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-59210 | Elevation of Privilege in Windows Resilient File System (ReFS) Deduplication Service. | Elevation of Privilege | Important |
| CVE-2025-59213 | Improper neutralization of special elements used in an sql command (‘sql injection’) in Microsoft Configuration Manager allows an unauthorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59214 | Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network. | Spoofing | Important |
| CVE-2025-59221 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-59222 | Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-59223 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-59224 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-59225 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-59226 | Use after free in Microsoft Office Visio allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-59227 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | Remote Code Execution | Critical |
| CVE-2025-59229 | Uncaught exception in Microsoft Office allows an unauthorized attacker to deny service locally. | Denial of Service | Important |
| CVE-2025-59230 | Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59232 | Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-59234 | Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. | Remote Code Execution | Critical |
| CVE-2025-59236 | Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally. | Remote Code Execution | Critical |
| CVE-2025-59238 | Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally. | Remote Code Execution | Important |
| CVE-2025-59241 | Improper link resolution before file access (‘link following’) in Windows Health and Optimized Experiences Service allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59244 | External control of file name or path in Windows Core Shell allows an unauthorized attacker to perform spoofing over a network. | Spoofing | Important |
| CVE-2025-59248 | Improper input validation in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network. | Spoofing | Important |
| CVE-2025-59253 | Improper access control in Microsoft Windows Search Component allows an authorized attacker to deny service locally. | Denial of Service | Important |
| CVE-2025-59260 | Exposure of sensitive information to an unauthorized actor in Microsoft Failover Cluster Virtual Driver allows an authorized attacker to disclose information locally. | Information Disclosure | Important |
| CVE-2025-59261 | Time-of-check time-of-use (toctou) race condition in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59275 | Improper validation of specified type of input in Windows Authentication Methods allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59278 | Improper validation of specified type of input in Windows Authentication Methods allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59285 | Deserialization of untrusted data in Azure Monitor Agent allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59287 | Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network. | Remote Code Execution | Critical |
| CVE-2025-59288 | Improper verification of cryptographic signature in GitHub allows an unauthorized attacker to perform spoofing over an adjacent network. | Spoofing | Moderate |
| CVE-2025-59289 | Double free in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Important |
| CVE-2025-59291 | External control of file name or path in Confidential Azure Container Instances allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Critical |
| CVE-2025-59292 | External control of file name or path in Confidential Azure Container Instances allows an authorized attacker to elevate privileges locally. | Elevation of Privilege | Critical |
| CVE-2025-59497 | Time-of-check time-of-use (toctou) race condition in Microsoft Defender for Linux allows an authorized attacker to deny service locally. | Denial of Service | Important |
| CVE-2025-59502 | Uncontrolled resource consumption in Windows Remote Procedure Call allows an unauthorized attacker to deny service over a network. | Denial of Service | Moderate |
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
