Post-Patch Tuesday Roundup: October 2025

Kiera Gilmore-Hardie

Cyber Security Assessor

Welcome to the Softcat Patch Tuesday roundup for October 2025, where we offer insight into the major patches released this month. In this edition, we will focus on the patches by Microsoft, Adobe, Cisco, SAP, Veeam, and VMware.

There have been quite a few zero-day exploits identified, with some of these known to have been actively exploited in the wild.

Microsoft

Microsoft’s October Patch Tuesday release is their largest yet, Microsoft has addressed 167 vulnerabilities, with 8 of those rated as Critical and 3 being zero-day vulnerabilities. The patches cover a broad array of applications and services, including Windows, Azure, Defender, Office Products, BitLocker, and more. Additionally, there have been 17 Edge/Chromium based vulnerabilities identified, although no advisory notes have been issued.

This month's vulnerabilities mainly revolve around Remote Code Execution (RCE), Elevation of Privilege (EoP), and Information Disclosure. Outlined below are some of the more critical/important vulnerabilities detailed in this month’s Patch Tuesday:

Zero-Day Vulnerabilities

1. CVE-2025-24990 – This is an Elevation of Privilege vulnerability in the Windows Agere Modem Driver that can allow an attacker to escalate privileges locally by exploiting an untrusted pointer dereference. It is rated as Important, with a CVSS score of 7.8. The attack method involves local exploitation by an authorised attacker using the vulnerable ltmdm64.sys driver, which has now been removed in the October cumulative update.

2. CVE-2025-59230 – This is an Elevation of Privilege vulnerability in Windows Remote Access Connection Manager that can allow an attacker to gain elevated privileges locally by exploiting improper access control. It is rated as Important, with a CVSS score of 7.8. The attack method involves a local exploit requiring low privileges, where access control flaws allow unauthorised escalation.

3. CVE-2025-47827 – This is a Security Feature Bypass vulnerability in IGEL OS before version 11 that can allow an attacker to bypass Secure Boot protections by exploiting improper cryptographic signature verification in the igel-flash-driver module. It is rated as Important, with a CVSS score of 4.6. The attack method involves mounting a crafted root filesystem from an unverified SquashFS image, allowing Secure Boot to be bypassed during physical access.

Critical

1. CVE-2025-49708 – This is an Elevation of Privilege vulnerability in the Microsoft Graphics Component that can allow an attacker to escalate privileges over a network by exploiting a use-after-free condition. It is rated as Critical, with a CVSS score of 9.9. The vulnerability has not been exploited in the wild. The attack method involves network-based exploitation requiring low privileges, where memory is improperly freed and reused, leading to elevated access and compromise of confidentiality, integrity, and availability.

2. CVE-2025-59236 – This is a Remote Code Execution vulnerability in Microsoft Excel that can allow an attacker to execute arbitrary code locally by exploiting a use-after-free condition. It is rated as Critical, with a CVSS score of 8.4. The vulnerability has not been exploited in the wild. The attack method involves local execution without requiring user interaction or privileges, where memory is improperly freed and reused, leading to potential code execution.

3. CVE-2025-59287 – This is a Remote Code Execution vulnerability in Windows Server Update Service (WSUS) that can allow an attacker to execute arbitrary code over a network by exploiting deserialization of untrusted data. It is rated as Critical, with a CVSS score of 9.8. The vulnerability has not been exploited in the wild. The attack method involves sending maliciously crafted data to WSUS, which is improperly deserialized, leading to full compromise of confidentiality, integrity, and availability.

4. CVE-2025-59227 – This is a Remote Code Execution vulnerability in Microsoft Office that can allow an attacker to execute arbitrary code locally by exploiting a use-after-free condition. It is rated as Critical, with a CVSS score of 7.8. The vulnerability has not been exploited in the wild. The attack method involves local execution requiring user interaction, where memory is improperly freed and reused

5. CVE-2025-59291 – This is an Elevation of Privilege vulnerability in Confidential Azure Container Instances that can allow an attacker to escalate privileges locally by exploiting external control of file names or paths. It is rated as Critical, with a CVSS score of 8.2. The vulnerability has not been exploited in the wild. The attack method involves a local exploit requiring high privileges, where an attacker manipulates file paths to gain unauthorised access

1. Important

1. CVE-2025-59253 – This is a Denial of Service vulnerability in the Windows Search Service that can allow an attacker to disrupt service locally by exploiting improper access control. It is rated as Important, with a CVSS score of 5.5. The vulnerability has not been exploited in the wild. The attack method involves a local exploit requiring low privileges, where access control flaws allow an authorised attacker to cause service disruption, impacting system availability.

2. CVE-2025-59289 – This is an Elevation of Privilege vulnerability in the Windows Bluetooth Service that can allow an attacker to gain elevated privileges locally by exploiting a double free condition. It is rated as Important, with a CVSS score of 7.0. The vulnerability has not been exploited in the wild. The attack method involves a local exploit requiring low privileges, where memory is freed more than once, leading to potential corruption and compromise of confidentiality, integrity, and availability.

3. CVE-2025-59285 – This is an Elevation of Privilege vulnerability in the Azure Monitor Agent that can allow an attacker to gain elevated privileges locally by exploiting deserialization of untrusted data. It is rated as Important, with a CVSS score of 7.0. The vulnerability has not been exploited in the wild. The attack method involves a local exploit requiring low privileges, where improperly handled data deserialization leads to compromise of confidentiality, integrity, and availability.

Adobe

Adobe has released 12 patches this month, addressing a significant number of vulnerabilities

The applications in question are:

Cisco

Cisco has so far released 4 advisories for 5 vulnerabilities in October, with the impact ratings ranging from Medium to High. The Critical vulnerabilities relate to Cisco IOS & IOS XE, Cisco Cyber Vision Centre, and Cisco Unified Communications Manager

Fortinet

Fortinet has published/updated 17 advisories addressing vulnerabilities: 2 High, 12 Medium, and 3 Low severity.

The High severity vulnerabilities are CVE-2025-58325 and CVE-2025-49201.

Ivanti

Ivanti have addressed three products in their October security update: Ivanti EPMM, Neurons for MDM, and Ivanti Endpoint Manager.

SAP

SAP has released 13 new security notes and 4 updates to previous security notes. 6 of these CVEs are rated High or Critical. The products affected by the High or Critical rated CVEs are:

Veeam

Veeam has addressed 1 vulnerability in this month’s Patch Tuesday, relating to Veeam Backup & Replication. This vulnerability involves remote code execution (RCE) on the Backup infrastructure hosts by an authenticated domain user; this was fixed in the following build Veeam Backup & Replication 12.3.2.4165 Patch

VMware

VMware has released a patch for a vulnerability in the VMware Tanzu product. Many critical & high vulnerabilities were found in Tanzu for MySQL on Kubernetes 1.10, which is addressed in Tanzu for MySQL on Kubernetes 2.0, this has been rated as Critical and has a CVSS score of 9.

As always, users are recommended to apply the latest security updates as soon as possible to protect their systems from potential threats.