{"id":3279,"date":"2025-10-18T16:52:23","date_gmt":"2025-10-18T16:52:23","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2025\/10\/18\/last-windows-10-patch-tuesday-features-six-zero-days\/"},"modified":"2025-10-18T16:52:23","modified_gmt":"2025-10-18T16:52:23","slug":"last-windows-10-patch-tuesday-features-six-zero-days","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2025\/10\/18\/last-windows-10-patch-tuesday-features-six-zero-days\/","title":{"rendered":"Last Windows 10 Patch Tuesday Features Six Zero-Days"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n
\n

It\u2019s set to be a busy October for system administrators after Microsoft issued security updates to fix 172 vulnerabilities including six classed as zero-days.<\/p>\n

Three of the zero-day vulnerabilities in this month\u2019s Patch Tuesday list are being actively exploited.<\/p>\n

CVE-2025-59230 is a local elevation of privilege (EoP) bug in the Windows Remote Access Connection Manager.<\/p>\n

\u201cWith no user interaction required, this will go straight into an attacker\u2019s standard toolkit,\u201d warned Rapid7 lead software engineer, Adam Barnett.<\/p>\n

\u201cThere\u2019s very little information in the advisory itself, but someone out there knows exactly how to exploit this vulnerability.\u201d<\/p>\n

CVE-2025-24990 is another EoP vulnerability, this time in the third-party Agere Modem driver (ltmdm64.sys) which ships with Windows. Interestingly, Microsoft has removed the driver rather than patch the flaw.<\/p>\n

Ben McCarthy, lead cybersecurity engineer at Immersive, argued that the bug highlights the risks of legacy components.<\/p>\n

\u201cThis driver, which supports hardware from the late 1990s and early 2000s, predates current secure development practices and has remained largely unchanged for years. Kernel-mode drivers operate with the highest system privileges, making them a primary target for attackers seeking to escalate their access,\u201d he explained.\u00a0<\/p>\n

\u201cMicrosoft\u2019s decision to remove the driver entirely, rather than issue a patch, is a direct response to the risks associated with modifying unsupported, third-party legacy code. Attempts to patch such a component can be unreliable, potentially introducing system instability or failing to address the root cause of the vulnerability completely.\u201d<\/p>\n

Read more on Patch Tuesday: Two Zero-Days Among Patch Tuesday CVEs This Month<\/em><\/p>\n

The third zero-day actively being exploited in the wild is CVE-2025-47827: a secure boot bypass bug that affects IGEL OS, a third-party OS designed to provide virtual desktop infrastructure.<\/p>\n

Kev Breen, senior director of threat research at Immersive, claimed a proof of concept has been available for this vulnerability since May, making exploitation trivial.<\/p>\n

\u201cThe impacts of a secure boot bypass can be significant, as threat actors can deploy a kernel-level rootkit, gaining access to the IGEL OS itself and, by extension then tamper with the virtual desktops, including capturing credentials,\u201d he added.<\/p>\n

\u201cIt should be noted that this is not a remote attack, and physical access is typically required to exploit this type of vulnerability, meaning that \u2018evil-maid\u2019 style attacks are the most likely vector affecting employees who travel frequently.\u201d<\/p>\n

Three Publicly Disclosed Zero-Days<\/h2>\n

The three remaining zero-days have been publicly disclosed but so far not exploited. They are:<\/p>\n