Microsoft on Tuesday released fixes for 183 security flaws spread across its products, including three vulnerabilities that are being actively exploited, as the tech giant officially ended support for its Windows 10 operating system unless PCs are enrolled in the Extended Security Updates (ESU) program.
Eight of the 183 vulnerabilities are non-Microsoft-released CVEs. At least 165 vulnerabilities have been rated critical in severity, 17 in the serious and one in the moderate category. The majority of them are related to elevation of privilege vulnerabilities (84), including remote code execution (33), information disclosure (28), spoofing (14), denial of service (11), and security feature bypass (11) issues.
These updates are in addition to the 25 vulnerabilities that Microsoft addressed in its Chromium-based Edge browser since the release of the September 2025 Patch Tuesday update.
The two Windows zero-days that have come under active exploitation are as follows –
- CVE-2025-24990 (CVSS Score: 7.8) – Windows Agere Modem Driver (“ltmdm64.sys”) elevation of privilege vulnerability
- CVE-2025-59230 (CVSS Score: 7.8) – Windows Remote Access Connection Manager (RASMAN) elevation of privilege vulnerability
Microsoft said both issues could allow attackers to execute code with elevated privileges, although there is currently no indication of how they are being exploited and how widespread these attempts may be. In the case of CVE-2025-24990, the company said it plans to remove the driver entirely instead of releasing a patch for the older third-party component.
Alex Vovk, CEO and co-founder of Action1, described the security flaw as “alarming”, as it is rooted in legacy code installed by default on all Windows systems, regardless of whether the associated hardware is present or in use.
“The vulnerable driver comes with every edition of Windows, up to and including Server 2025,” said Adam Barnett, principal software engineer at Rapid7. “Maybe your fax modem uses a different chipset, and so you don’t need the Agere driver? Maybe you just discovered email? Tough luck. Your PC is still vulnerable, and a local attacker with a minimum privileged account can access administrator.”
According to Satnam Narang, senior staff research engineer at Tenable, CVE-2025-59230 is the first vulnerability to be exploited as a zero-day in Rasman. Microsoft has patched more than 20 flaws in the component since January 2022.
The third vulnerability that has been exploited in real-world attacks is related to a case of Secure Boot bypass in IGL OS before 11 (CVE-2025-47827, CVSS score: 4.6). Details about the flaw were first publicly disclosed by security researcher Jack Didcott in June 2025.
“The implications of a Secure Boot bypass can be significant, as threat actors can deploy a kernel-level rootkit, gain access to the IGL OS and, by extension, then compromise the virtual desktop, including capturing credentials,” said Kev Breen, senior director of threat research at Immersive.
“It should be noted that this is not a remote attack, and exploiting this type of vulnerability typically requires physical access, meaning that ‘rogue-maid’ style attacks are the most likely vector to impact employees who travel frequently.”
All three issues have since been added to the US Cybersecurity and Infrastructure Security Agency (CISA)’s Known Exploitable Vulnerabilities (KEV) catalog, requiring federal agencies to apply patches by November 4, 2025.
Some other significant vulnerabilities of note include a remote code execution (RCE) bug in the Windows Server Update Service (WSUS) (CVE-2025-59287, CVSS score: 9.8), the CryptHmacSign helper function of the Trusted Computing Group (TCG) TPM2.0 reference implementation (CVE-2025-2884, CVSS score: 5.3), and an RCE in Windows URL parsing (CVE-2025-59295, 8.8).
“An attacker could take advantage of this by carefully crafting a malicious URL,” said Ben McCarthy, principal cybersecurity engineer at Immersive. “Overflowed data can be designed to overwrite critical program data, such as a function pointer or an object’s virtual function table (vtable) pointer.”
“When the application later attempts to use this corrupted pointer, instead of calling a legitimate function, it redirects the execution flow of the program to a memory address controlled by the attacker. This allows the attacker to execute arbitrary code (shellcode) on the target system.”
The two vulnerabilities with the highest CVSS scores in this month’s update are related to a privilege escalation flaw in the Microsoft Graphics Component (CVE-2025-49708, CVSS score: 9.9) and a security feature bypass in ASP.NET (CVE-2025-55315, CVSS score: 9.9).
While exploiting CVE-2025-55315 requires an attacker to first authenticate, it can be abused to surreptitiously bypass security controls and perform malicious actions by smuggling a second, malicious HTTP request within the body of their initial authenticated request.
“An organization should prioritize addressing this vulnerability because it invalidates the core security promise of virtualization,” McCarthy said of CVE-2025-49708, describing it as a high-impact flaw that allows full virtual machines (VMs) to escape.
“A successful exploit means that an attacker who gains low-privileged access to a single, non-critical guest VM can directly break into and execute code with system privileges on the underlying host server. This failure of isolation means that the attacker can access, manipulate or delete data on every other VM running on the same host, including mission-critical domain controllers, databases or production applications. Can destroy.
