October CVE Alert: 175 Flaws & Active Zero-Days

October 2025 Patch Tuesday delivered Microsoft's largest security update on record with 175 vulnerabilities, including multiple actively exploited zero-days October 2025. This unprecedented release coincides with Windows 10 end of life security updates ending on October 14, 2025, creating critical urgency for organizations managing Windows infrastructure. Security teams face immediate threats from universal Windows driver exploits, wormable update service vulnerabilities, and ongoing Clop Oracle EBS attack campaigns targeting enterprise systems.

Windows Agere Modem Driver Universal Threat

Threat: CVE-2025-24990

CVE-2025-24990 Windows Agere (CVSS 7.8) represents an elevation of privilege vulnerability in the third-party Agere Modem driver (ltmdm64.sys) that ships natively with all supported Windows operating systems. This Windows zero-day vulnerability affects every Windows version ever released, regardless of whether the modem hardware exists or remains in use.

Attackers exploiting this flaw gain SYSTEM-level administrative privileges on compromised systems. The vulnerability resides in legacy code installed by default across the entire Windows ecosystem, making it universally accessible to threat actors who achieve initial system access.

Why It Matters

This vulnerability demonstrates exceptional scope, affecting all Windows versions from legacy systems through current releases. Security researchers indicate potential exploitation for EDR evasion, allowing attackers to bypass endpoint detection and response systems through privileged driver access.

CISA KEV catalog October additions include CVE-2025-24990 with a November 4, 2025 remediation deadline for federal agencies. The vulnerability's presence on every Windows system regardless of hardware configuration amplifies risk across enterprise environments.

Microsoft confirms active exploitation in the wild, though specific campaign details remain undisclosed. The universal nature of this flaw enables broad attack scenarios once threat actors establish initial foothold through phishing, credential theft, or other vectors.

Mitigation

Microsoft addressed CVE-2025-24990 by permanently removing the vulnerable driver rather than issuing a traditional patch. The October 2025 cumulative update eliminates ltmdm64.sys from all Windows installations, causing dependent fax modem hardware to cease functioning.

Organizations should deploy October security updates immediately across all Windows systems. The driver removal approach ensures complete mitigation but requires verifying that business-critical fax functionality does not depend on Agere modem hardware.

Implement enhanced monitoring for privilege escalation attempts and unusual driver-related activities. Security teams should prioritize systems with internet exposure or those processing untrusted content for immediate patching.

Windows Remote Access Connection Manager Exploitation

Threat: CVE-2025-59230

CVE-2025-59230 (CVSS 7.8) affects Windows Remote Access Connection Manager (RasMan), the service managing dial-up and VPN connections across Windows environments. This elevation of privilege vulnerability enables authenticated attackers with low-level access to escalate privileges to SYSTEM level through improper access controls.

RasMan vulnerabilities appear frequently in patch cycles, but CVE-2025-59230 marks the first confirmed wild exploitation of this component since tracking began in January 2022. The flaw requires minimal attack complexity and no user interaction once attackers establish initial system access.

Why It Matters

Active exploitation distinguishes this vulnerability from typical RasMan security issues. Microsoft's Threat Intelligence Center and Security Response Center identified the flaw through threat hunting activities, indicating sophisticated threat actor usage.

While physical access typically facilitates exploitation, the vulnerability affects organizations where attackers gain local access through supply chain compromise, insider threats, or "evil maid" style attacks targeting traveling employees. Complete system compromise enables attackers to create administrative accounts, modify critical configurations, and potentially pivot throughout Windows infrastructure.

Mitigation

Deploy October 2025 cumulative updates addressing CVE-2025-59230 across all Windows and Windows Server versions. The CISA KEV compliance deadline of November 4, 2025 applies to federal agencies with recommended enterprise adoption matching this timeline.

Implement comprehensive logging for RasMan service activities and monitor for unusual privilege escalation patterns. Organizations should review physical security procedures for endpoints and consider full-disk encryption for systems used by traveling personnel.

Security teams managing Windows enterprise security should correlate RasMan exploitation indicators with other suspicious activities that might indicate multi-stage attack campaigns.

Critical WSUS Infrastructure Vulnerability

Threat: WSUS Vulnerability CVE-2025-59287

WSUS vulnerability CVE-2025-59287 (CVSS 9.8) represents a critical remote code execution flaw in Windows Server Update Services affecting enterprise patch management infrastructure. This deserialization vulnerability allows unauthenticated attackers to execute arbitrary code by sending crafted events that trigger unsafe object deserialization in legacy serialization mechanisms.

The vulnerability affects all Windows Server versions from 2012 through 2025 where WSUS roles are deployed. Successful exploitation requires no user interaction or special privileges, enabling complete system compromise with high impacts on confidentiality, integrity, and availability.

Why It Matters

WSUS serves as centralized patch distribution infrastructure for enterprise Windows environments, making compromise particularly devastating. The wormable nature of CVE-2025-59287 enables propagation between affected WSUS servers, potentially compromising entire organizational patching systems.

Microsoft's Exploitability Index rates this vulnerability as "Exploitation More Likely," indicating technical feasibility and attacker interest. Security researchers note that WSUS's trusted status within enterprise environments could enable attackers to bypass EDR detections that exclude or minimize monitoring of legitimate Windows services.

Compromised WSUS infrastructure enables malicious update distribution, allowing attackers to deploy malware disguised as legitimate patches across managed endpoints. This supply chain attack vector threatens organizational security at fundamental levels.

Mitigation

Organizations using WSUS must prioritize WSUS vulnerability CVE-2025-59287 patching within 72 hours of testing completion. The critical nature and wormable characteristics demand immediate response despite potential operational complexities.

Deploy October 2025 security updates to all WSUS servers beginning with internet-facing or DMZ-located systems. Implement network segmentation isolating WSUS infrastructure from untrusted networks and enforce strict access controls limiting administrative connections.

Enhance WSUS monitoring detecting unusual deserialization activities, unexpected update package modifications, or anomalous network connections. Enterprise patch management strategy should include WSUS compromise scenarios in incident response planning.

Azure Entra ID Identity Infrastructure Risk

Threat: CVE-2025-59246

CVE-2025-59246 (CVSS 9.8) affects Azure Entra ID through an elevation of privilege vulnerability enabling unauthenticated remote attackers to gain unauthorized administrative access without requiring user interaction. This network-based attack with minimal complexity could result in complete identity infrastructure compromise.

Successful exploitation potentially grants full administrative access, system-wide resource control, and sensitive data exfiltration capabilities across Azure and Microsoft 365 environments relying on Entra ID for authentication.

Why It Matters

Azure Entra ID serves as the identity backbone for organizations using Microsoft 365, Azure services, and hybrid on-premises integration. Compromise enables attackers to manipulate user accounts, modify security policies, access organizational data, and establish persistent administrative access.

Microsoft rates exploitation as "More Likely," indicating both technical feasibility and anticipated attacker interest given the centralized nature of identity infrastructure.

Mitigation

Microsoft has deployed cloud-side mitigations for CVE-2025-59246, requiring no customer action for Azure Entra ID services. Organizations should verify patch status through Microsoft 365 admin portals and review identity security configurations ensuring proper monitoring and alerting.

Implement enhanced Entra ID activity logging capturing administrative actions, privilege escalations, and configuration changes. Security teams should establish baseline identity infrastructure behaviors enabling anomaly detection.

Oracle E-Business Suite Active Campaign

Threat: CVE-2025-61882

CVE-2025-61882 (CVSS 9.8) represents a critical unauthenticated remote code execution vulnerability in Oracle E-Business Suite's Concurrent Processing product affecting BI Publisher Integration components. The Clop Oracle EBS attack campaign has actively exploited this zero-day since August 2025, targeting organizations running vulnerable EBS installations.

The Clop ransomware gang weaponized this vulnerability alongside previously patched July 2025 flaws in coordinated data theft operations. Attackers require no authentication, enabling remote exploitation over networks without user interaction.

Why It Matters

Oracle EBS Clop ransomware protection becomes critical as threat actors demonstrate sustained campaigns targeting EBS systems. Mandiant researchers confirm Clop successfully exfiltrated substantial data volumes from multiple organizations before Oracle released emergency patches.

Public proof-of-concept exploit code circulates alongside indicators of compromise, lowering exploitation barriers for additional threat actors. Oracle's delayed response and initial misattribution to July vulnerabilities created extended exposure windows for unpatched systems.

The extortion campaign involves emails claiming data theft from Oracle EBS systems with ransom demands to prevent public leakage. Organizations across financial services, healthcare, and manufacturing sectors report compromise attempts.

Mitigation

Oracle released emergency security updates requiring prior installation of October 2023 Critical Patch Update before applying current fixes. Organizations must follow multi-stage patching procedures ensuring compatibility and complete remediation.

Implement network segmentation isolating Oracle EBS systems from untrusted networks. Deploy indicators of compromise provided by Oracle including specific IP addresses, remote shell commands, and exploit archive signatures.

Conduct thorough forensic analysis on EBS systems checking for compromise indicators. Organizations should review BI Publisher configurations, audit Concurrent Processing logs, and verify cryptographic key integrity.

Windows 10 End of Life Security Implications

October 14, 2025 marks Windows 10 end of life security update termination for systems not enrolled in Extended Security Updates programs. This final free Patch Tuesday coincides with record vulnerability counts and active exploitation campaigns.

Organizations maintaining Windows 10 systems face critical decisions between Windows 11 migration, ESU enrollment (1 year consumer, 3 years enterprise), or accepting unsupported system risks during active threat periods. Remaining on Windows 10 without ESU guarantees vulnerability accumulation as new flaws emerge without patches.

Response Priorities and Compliance

CISA KEV catalog October additions mandate federal agency remediation by November 4, 2025. Private sector organizations should adopt similar timelines given active exploitation and critical infrastructure impacts.

Priority patching sequence should address actively exploited vulnerabilities first (CVE-2025-24990, CVE-2025-59230, CVE-2025-61882), followed by wormable WSUS threats (CVE-2025-59287), then remaining critical issues based on organizational technology deployments.

Conclusion

October 2025's unprecedented vulnerability volume combined with active zero-day exploitation and Windows 10 end of life security transitions creates exceptional challenges for security teams. The convergence of record patch counts, actively exploited flaws, and major operating system support termination demands coordinated organizational response.

Stay tuned for monthly updates from INE on the latest urgent CVEs and active exploitation campaigns. We'll continue highlighting the threats that matter most to help you prioritize your security efforts.

To strengthen your vulnerability management skills, consider practicing CVE mitigation techniques using INE's Skill Dive Vulnerabilities Lab Collection. These hands-on labs provide practical experience with vulnerability assessment, exploitation techniques, and remediation strategies in safe, controlled environments.