Full Report
Microsoft on Tuesday released fixes for a whopping 183 security flaws spanning its products, including three vulnerabilities that have come under active exploitation in the wild, as the tech giant officially ended support for its Windows 10 operating system unless the PCs are enrolled in the Extended Security Updates (ESU) program. Of the 183 vulnerabilities, eight of them are non-Microsoft
Analysis Summary
# Vulnerability: Windows Zero-Days Exploited in October 2025 Patch Tuesday
## CVE Details
- CVE ID: CVE-2025-24990, CVE-2025-59230, CVE-2025-47827. (Note: Severity scores provided for the two critical Windows issues.)
- CVSS Score: 7.8 (CVE-2025-24990), 7.8 (CVE-2025-59230), 4.6 (CVE-2025-47827)
- Severity: (Based on context, 7.8 suggests High; 4.6 suggests Medium/Low, but the nature of exploitation indicates high practical concern for the first two).
- CWE: Not explicitly listed for the Windows flaws, primarily listed as Elevation of Privilege.
## Affected Systems
- Products: Microsoft Windows (all versions up to and including Server 2025), IGEL OS.
- Versions:
- CVE-2025-24990: All versions of Windows.
- CVE-2025-59230: Windows (specific versions not detailed, but RasMan component).
- CVE-2025-47827: IGEL OS before version 11.
- Configurations:
- CVE-2025-24990: Local attacker with a minimally privileged account.
- CVE-2025-47827: Requires physical access.
## Vulnerability Description
Three vulnerabilities have been identified as under active exploitation in the wild following the October 2025 Patch Tuesday release:
1. **CVE-2025-24990 (Windows Agere Modem Driver - `ltmdm64.sys`):** An Elevation of Privilege (EoP) vulnerability rooted in legacy code. This driver ships by default on all Windows versions. A local attacker can leverage this to elevate privileges to administrator.
2. **CVE-2025-59230 (Windows Remote Access Connection Manager - RasMan):** An EoP vulnerability that allows an attacker to execute code with elevated privileges. This is the first known zero-day exploitation of RasMan in this manner in recent history.
3. **CVE-2025-47827 (IGEL OS Secure Boot Bypass):** Allows an attacker to bypass Secure Boot, potentially enabling the deployment of kernel-level rootkits to tamper with credentials and the OS core.
## Exploitation
- Status: Exploited in the wild (for all three listed CVEs).
- Complexity: Low (for CVE-2025-24990 - local attacker with minimal privileges is sufficient). The IGEL OS flaw requires physical access.
- Attack Vector:
- CVE-2025-24990 & CVE-2025-59230: Local (implied by EoP requirement).
- CVE-2025-47827: Physical (necessary for the Secure Boot bypass).
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2025-24990 / 59230 | High (via EoP) | High (via EoP) | Potential |
| CVE-2025-47827 | High (Credential capture possible via rootkit) | High (OS tampering) | Potential |
## Remediation
### Patches
* **CVE-2025-24990:** Microsoft is reportedly planning to **remove the driver entirely** instead of issuing a traditional patch. Users should apply the October 2025 cumulative/security updates.
* **CVE-2025-59230:** Apply the October 2025 comprehensive security updates from Microsoft.
* **CVE-2025-47827:** Apply updates provided by IGEL for OS version 11 or newer.
### Workarounds
* For **CVE-2025-24990**, since the driver ships by default, removal might be the definitive solution if supported by the running environment, pending official guidance on driver removal procedures outside of standard patching.
## Detection
- **Indicators of Compromise (IOCs):** Not explicitly detailed in the summary, but look for exploitation attempts leveraging the Agere Modem Driver (`ltmdm64.sys`) or unusual activity related to the Remote Access Connection Manager (RasMan) service escalating user privileges.
- **Detection Methods and Tools:** All three vulnerabilities have been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, prompting enhanced monitoring for exploitation activity. Security teams should prioritize patching these systems immediately.
## References
- Vendor Advisories: Microsoft MSRC Update Guide (Refers to the October 2025 Patch Tuesday release covers 183 flaws).
- Relevant Links:
- Microsoft Update Guide (General 2025-Oct release): `msrc.microsoft.com/update-guide/releaseNote/2025-Oct`
- CVE-2025-24990 Advisory: `msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-24990`
- CVE-2025-59230 Advisory: `msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-59230`
- CVE-2025-47827 Advisory: `msrc.microsoft.com/update-guide/vulnerability/CVE-2025-47827`
- IGEL CVE Disclosure: `github.com/Zedeldi/CVE-2025-47827`
- CISA KEV Catalog (Implied, systems added upon publication of the alert).