Microsoft released its October 2025 Patch Tuesday security update, a record-sized release addressing 175 vulnerabilities. The update includes two actively exploited zero-day flaws and also designates the end of regular security support for the Windows 10 operating system.
The volume of 175 Common Vulnerabilities and Exposures (CVEs) establishes this release as the largest single Patch Tuesday update documented by security researchers in recent years. This single month’s release has propelled the total number of unique vulnerabilities patched by the company in 2025 to 1,021. This figure surpasses the entire previous year’s total of 1,009 patched CVEs. Satnam Narang, a senior staff research engineer at Tenable, stated, “With two months remaining this year, we’ve already blown last year’s tally of 1,009 CVEs patched, as this month’s release brings us up to 1,021.”
Narang specified that this update is the largest since Tenable began tracking Microsoft patch releases in 2017. He also clarified that this count does not include out-of-cycle patches issued prior to the main update or vulnerabilities for which Microsoft is not the designated issuer. The collection of flaws addressed a wide spectrum of security issues, including remote code execution (RCE) vulnerabilities, elevation of privilege (EoP) flaws, data theft vectors, denial-of-service (DoS) attack methods, and bypasses of existing security features across numerous Microsoft products.
Among the vulnerabilities, two zero-day flaws are under active exploitation by attackers. The first, identified as CVE-2025-59230, is a privilege escalation vulnerability in the Windows Remote Access Connection Manager and carries a Common Vulnerability Scoring System (CVSS) score of 7.8. This flaw permits an attacker who has already gained initial access to a system with low privileges to elevate their status to that of an administrator. Mike Walters, president and co-founder of Action1, provided analysis on the vulnerability’s mechanism. He assessed that the flaw relates to how the service, which manages virtual private network (VPN) and other remote connections, processes commands from low-privileged users without sufficient authentication. “Exploitation of this vulnerability is relatively easy, making it accessible even to attackers with moderate technical skills,” Walters commented.
The second actively exploited zero-day, CVE-2025-24990, is also an elevation of privilege vulnerability with a CVSS score of 7.8. This flaw resides in a third-party driver for the Windows Agere modem. This specific driver is natively included with all supported versions of the Windows operating system, making its presence widespread. An attacker can leverage this vulnerability to gain system-level privileges on an affected computer. The flaw is exploitable even if the Agere modem hardware is not being actively used at the time of the attack. In response, Microsoft has removed the driver from the operating system through the update. This action means that Agere modems reliant on this driver will cease to function on patched Windows systems. In its advisory on the matter, Microsoft issued a direct recommendation, stating that users should “remove any existing dependencies on this hardware.”
The update also contains other high-priority issues security teams are advised to address. One such vulnerability is CVE-2025-59287, a remote code execution bug in the Windows Server Update Service (WSUS) with a CVSS score of 9.8. WSUS is the component organizations use to centrally manage and distribute software updates and patches to computers on their networks. Walters of Action1 identified this as a critical issue, explaining that a successful exploit could lead to severe consequences. These potential outcomes include the “complete compromise of the patching infrastructure, deployment of malicious ‘updates’ to managed systems, lateral movement throughout the environment, and the creation of persistent backdoors in the update infrastructure,” he said. Microsoft has officially categorized CVE-2025-59287 as a vulnerability that attackers are more likely to exploit.
Another severe flaw addressed is CVE-2025-55315, a security-feature bypass in the ASP.NET Core framework, which received a CVSS score of 9.9. According to Microsoft’s assessment, this vulnerability could have a high impact on a system’s confidentiality, integrity, and availability. A successful exploit would grant an attacker the ability to view user credentials, alter the contents of files on the target server, or precipitate a system crash. Ben McCarthy, lead cyber security engineer at Immersive, provided additional context on the exploit conditions. “It is important to note that this vulnerability is not exploitable by an anonymous attacker; it requires the threat actor to first be authenticated with valid, low-privilege user credentials,” McCarthy stated in his commentary on the patch release.
This October update cycle also officially marks the end of life for the Windows 10 operating system. This means Microsoft will no longer provide regular security patches for vulnerabilities discovered in the operating system as part of its monthly Patch Tuesday schedule. The cessation of support affects a substantial user base, as the Windows 10 operating system currently holds an approximate 41% share of the desktop Windows version market worldwide.
For organizations that continue to operate systems running Windows 10, a specific path for continued support is required. Nick Carroll, a cyber incident response manager at Nightwing, explained in a statement that these entities will need to enroll in the Extended Security Updates (ESU) program to receive security patches beyond this final update. The ESU program is a paid service that provides security fixes for a limited time after a product’s official end-of-support date.
The end of support was not limited to Windows 10. Several other Microsoft products also reached their end-of-life milestone this week. This list includes Exchange Server 2016, Exchange Server 2019, Skype for Business 2016, Windows 11 IoT Enterprise Version 22H2, and Outlook 2016. These products will also no longer receive regular security updates. Carroll commented on the broader implications of this lifecycle stage for multiple products. “All these products and more will stop getting security patches,” he said, “but that doesn’t mean the threat actors will stop making new exploits for them.”
