Microsoft’s October Patch Tuesday delivers fixes for 173 security vulnerabilities across its ecosystem, including six zero‑day issues. By Microsoft’s definition, zero‑days are flaws that were publicly disclosed before a patch became available or those with confirmed in‑the‑wild exploitation. Several of this month’s bugs fall into the latter category, elevating patch prioritization for enterprise defenders.
Actively exploited vulnerabilities: what defenders need to know
CVE-2025-24990: Privilege escalation via Agere modem driver (ltmdm64.sys)
A vulnerable Agere modem driver for Windows (ltmdm64.sys) enables local privilege escalation to administrator. Microsoft has removed the affected driver from Windows as part of the update cycle and warns that associated hardware will stop functioning after removal. Notably, exploitation is possible even if a modem is not actively used, and the issue affects all supported Windows versions.
The technique aligns with BYOVD (bring your own vulnerable driver), where attackers load a signed yet vulnerable kernel driver to bypass kernel protections and elevate privileges. Recommended actions include installing the update without delay, auditing systems for the presence of ltmdm64.sys, documenting operational impact from driver removal, and validating policies that block known‑bad drivers.
CVE-2025-59230: SYSTEM‑level privileges in Remote Access Connection Manager (RASMAN)
An access control flaw in Windows Remote Access Connection Manager (RASMAN) allowed a local authenticated user to escalate privileges to SYSTEM. As Microsoft notes, improper access control in the service can enable local elevation.
This class of bug can facilitate service installation, process hijacking, and persistence. Immediate patching is advised. Where business requirements permit, consider disabling or restricting RASMAN, enforce least‑privilege principles, and monitor for abnormal access attempts targeting the service.
CVE-2025-47827: Secure Boot bypass in IGEL OS up to version 11
In IGEL OS versions prior to 11, insufficient signature validation in the igel-flash-driver permitted a Secure Boot bypass. An attacker could mount a substituted root filesystem from an untrusted SquashFS image, breaking the boot trust chain. The issue was publicly described on GitHub by Zack Didcott.
Microsoft surfaced the partner fix in the Security Update Guide as part of its expanded support for vendor‑assigned CVEs. Organizations running IGEL OS thin clients should update to a fixed release, review Secure Boot policies, and verify that boot keys and firmware configurations preserve the trusted boot pathway.
Publicly disclosed zero‑days in SMB Server and Microsoft SQL Server
Separate publicly disclosed zero‑day vulnerabilities affect Windows SMB Server and Microsoft SQL Server. Even in the absence of deep technical details, the exposure is significant: adversaries routinely leverage SMB and SQL weaknesses for lateral movement, privilege escalation, and data compromise. Historically, such flaws are quickly incorporated into exploitation frameworks, so prioritize patching SMB/SQL workloads, enforce network segmentation, and tighten authentication controls.
Lifecycle planning: Windows 10 nears end of free support
Microsoft will end free security updates for Windows 10 on October 14, 2025. Organizations should plan migration paths to Windows 11 or evaluate extended security options based on business risk, regulatory obligations, and hardware readiness. Early planning reduces last‑minute operational disruption and ensures continued vulnerability remediation on endpoints that cannot be upgraded immediately.
Enterprise takeaways: apply October updates broadly, fast‑track fixes for ltmdm64.sys, RASMAN, and IGEL OS Secure Boot exposures, and prioritize SMB/SQL patching. Strengthen defenses against BYOVD by maintaining driver allow/deny lists and monitoring kernel‑mode loads. As Windows 10 approaches end of free support, align patch management, asset inventory, and upgrade programs to sustain a resilient security posture.
