Patch Tuesday October 2025 - Critical Vulnerabilities: Remote Code Execution, Privilege Escalation, Secure Boot Bypass, and VM Escape Patches

Microsoft releases security patches for vulnerabilities in its products on the second Tuesday of each month. Immersive’s Container 7 Research Team reviews these patch notes for the standout vulnerabilities you need to know about.

Windows Server Update Service (WSUS) Remote Code Execution Vulnerability

Kev Breen, Senior Director Threat Research, Immersive

Whilst not being actively exploited in the wild, one for patching sooner rather than later is, ironically, the Windows update service (WSUS) itself. With a score of 9.8 out of a possible 10 and marked as “Exploitation more Likely” by Microsoft, CVE-2025-59287 is a Critical Remote Code Execution Vulnerability. Microsoft provides limited information, stating that an unauthenticated attacker with network access can send untrusted data to the WSUS server, resulting in deserialization and code execution. As WSUS is a trusted Windows service that is designed to update and privileged files across the file system, an attacker would have free rein over the operating system and could potentially bypass some EDR detections that ignore or exclude the WSUS service. 

MITRE CVE-2025-47827: Secure Boot bypass in IGEL OS before 11

Kev Breen, Senior Director Threat Research, Immersive

CVE-2025-47827 was added to the October Patch Tuesday release and marked as being actively exploited in the wild by Microsoft, which typically means organizations should prioritize this patch over others.

This specific CVE is not new and not strictly speaking a vulnerability in Windows itself. Instead, this vulnerability is a Secure Boot Bypass that affects IGEL OS, a third-party operating system designed to provide Virtual Desktop Infrastructure, which, if configured correctly, can increase security and performance, especially for portable devices like laptops. A proof of concept has been publicly available since this vulnerability was disclosed back in May, meaning it would be trivial for threat actors to weaponize this vulnerability. 

The impacts of a Secure Boot bypass can be significant, as threat actors can deploy a kernel-level rootkit, gaining access to the IGEL OS itself and, by extension then tamper with the Virtual Desktops, including capturing credentials. It should be noted that this is not a remote attack, and physical access is typically required to exploit this type of vulnerability, meaning that “evil-maid” style attacks are the most likely vector affecting employees who travel frequently.

CVE-2025-24990 - 7.8 - Windows Agere Modem Driver Elevation of Privilege Vulnerability

Ben McCarthy, Lead Cyber Security Engineer, Immersive

The active exploitation of CVE-2025-24990 in the Agere Modem driver (ltmdm64.sys) shows the security risks of maintaining legacy components within modern operating systems. In attacks, threat actors are using this vulnerability as a second stage for their operations. The attack chain typically begins with the actor gaining an initial foothold on a target system through common methods like a phishing campaign, credential theft, or by exploiting a different vulnerability in a public-facing application. This driver, which supports hardware from the late 1990s and early 2000s, predates current secure development practices and has remained largely unchanged for years. Kernel-mode drivers operate with the highest system privileges, making them a primary target for attackers seeking to escalate their access.

Microsoft's decision to remove the driver entirely, rather than issue a patch, is a direct response to the risks associated with modifying unsupported, third-party legacy code. Attempts to patch such a component can be unreliable, potentially introducing system instability or failing to address the root cause of the vulnerability completely.

This action prioritizes attack surface reduction over absolute backward compatibility. By removing the vulnerable and obsolete component, the potential for this specific exploit is zero. The security risk presented by the driver was determined to be greater than the requirement to continue supporting the outdated hardware it serves. This approach demonstrates that an effective security strategy must include the lifecycle management of old code, where removal is often a more definitive and secure solution than patching. 

CVE-2025-59295 - 8.8 - Windows URL Parsing Remote Code Execution Vulnerability

Ben McCarthy, Lead Cyber Security Engineer, Immersive

A high-severity Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-59295, has been identified and patched in the October 2025 security updates. The vulnerability originates within a URL parsing function tied to the legacy MSHTML platform (Internet Explorer's Trident engine) and carries a CVSS 3.1 base score of 8.8. While Microsoft's exploitability assessment is "Exploitation Less Likely" at this time, the technical nature of the flaw presents a significant risk.

The root cause of this vulnerability is a CWE-122: Heap-based Buffer Overflow. This type of memory corruption error occurs when the application, while processing a specially crafted URL, writes more data to a memory buffer on the heap than has been allocated for it. This overwrite corrupts adjacent memory structures.

An attacker can leverage this by carefully constructing a malicious URL. The overflowed data can be designed to overwrite critical program data, such as a function pointer or an object's virtual function table (vtable) pointer. When the application later attempts to use this corrupted pointer, instead of calling a legitimate function, it redirects the program's execution flow to a memory address controlled by the attacker. This allows the attacker to execute arbitrary code (shellcode) on the target system.

While the Internet Explorer 11 desktop application is retired on most Windows versions, its core rendering engine, MSHTML.dll, remains an integrated and supported component of the operating system. This engine is still used in several key scenarios, such as Internet Explorer Mode in Microsoft Edge, Microsoft Office, and Third-Party Applications.

Because of this deep integration, the vulnerability affects all supported versions of Windows. The patch is delivered via the Internet Explorer Cumulative Update, which is essential for all systems, including servers and those that only install Security Only updates, to ensure the underlying MSHTML component is secured. Due to the use of exploits against this engine in the past by many threat actors around the world, it is recommended to ensure the IE cumulative update is applied on all Windows machines, from servers to client installs.

CVE-2025-55315 - 9.9 - ASP.NET Security Feature Bypass Vulnerability

Ben McCarthy, Lead Cyber Security Engineer, Immersive

A vulnerability with a CVSS 3.1 score of 9.9 (Critical) has been identified in ASP.NET Core, tracked as CVE-2025-55315. It is important to note that this vulnerability is not exploitable by an anonymous attacker; it requires the threat actor to first be authenticated with valid, low-privilege user credentials (PR:L). Despite this prerequisite, the flaw allows an attacker to perform high-impact actions by exploiting inconsistencies in how HTTP requests are processed, effectively bypassing security features.

Using their authenticated session, an attacker exploits this by crafting a single, ambiguous HTTP request that is interpreted as one complete request by the front-end but as two separate requests by the back-end ASP.NET Core application. This is typically achieved by using conflicting HTTP headers, such as providing both Content-Length and Transfer-Encoding: chunked. The front-end proxy might honor one header, while the back-end Kestrel server honors the other. This discrepancy allows the attacker to "smuggle" a second, malicious HTTP request within the body of their initial authenticated request. The back-end server processes the first part of the request and leaves the smuggled data in the TCP input stream, incorrectly believing it to be the start of the next incoming request from any user.

Attackers often favor Security Feature Bypass vulnerabilities like this one for several reasons, like wanting to be slightly more stealthy, or leveraging the trusted relationship between an application’s front-end and back-end. Security bypasses don’t typically get such high ratings. So, while it might be a security bypass, attackers can exploit this vulnerability with such ease and the fact that it is probably in a lot of external-facing applications using ASP.NET, justify its rating. It is recommended that organizations try to patch this by upgrading their ASP.NET version when they can, first test their code base works in the newer version of ASP.NET then ensure they upgrade. 

CVE-2025-49708 - 9.9 - Microsoft Graphics Component Elevation of Privilege Vulnerability

Ben McCarthy, Lead Cyber Security Engineer, Immersive

A critical vulnerability, CVE-2025-49708, has been identified in the Microsoft Graphics Component, and while its technical classification is 'Elevation of Privilege', its real-world impact is far more severe: it is a full virtual machine (VM) escape. This flaw, with a CVSS score of 9.9, completely shatters the security boundary between a guest virtual machine and its host operating system.

An organization must prioritize patching this vulnerability because it invalidates the core security promise of virtualization. A successful exploit means an attacker who gains even low-privilege access to a single, non-critical guest VM can break out and execute code with SYSTEM privileges directly on the underlying host server. This failure of isolation means the attacker can then access, manipulate, or destroy data on every other VM running on that same host, including mission-critical domain controllers, databases, or production applications.

Attackers consider VM escape vulnerabilities like this to be the 'holy grail' of modern infrastructure hacking. Gaining an initial foothold inside a sandboxed VM is a common and often achievable goal, but that access is typically contained. This vulnerability provides the key to unlock that container. For a threat actor, it’s a way to pivot to compromise a full host machine. This is the type of high-impact exploit that sophisticated threat actors actively search for to achieve their objectives because virtualization is used all over modern organizations networks.

CVE-2025-59236 - 8.4 - Microsoft Excel Remote Code Execution Vulnerability

Ben McCarthy, Lead Cyber Security Engineer, Immersive

A critical vulnerability, CVE-2025-59236, has been identified in Microsoft Excel. While its title describes it as a Remote Code Execution vulnerability, it is crucial to understand that its attack vector is Local (AV:L). This means the exploit triggers when a specially crafted file is processed on a victim's machine, not directly over the network. The "Remote" in the title refers to the attacker's location, indicating they do not need prior access to the target system to craft and deliver the malicious file. 

Organizations must treat this as a high-priority patch because it targets malicious documents, one of the most common entry points for cyberattacks. The exploit chain is a tried and tested attack method that the industry is still trying to figure out how to stop. An attacker crafts a malicious Excel spreadsheet and delivers it to a target via a phishing email or a web download. The moment the user opens this file, the excel file which contains the vulnerability is triggered, allowing the attacker's code to run on the user's machine with their permission level. Since the User Interaction is "None," no further clicks, macro-enablement, or warnings are needed after the file is opened for the compromise to occur. This makes it a silent and effective way to gain an initial foothold in a corporate network. 

CVE-2025-59230 - 7.8 - Windows Remote Access Connection Manager Elevation of Privilege Vulnerability

Jacob Ashdown, Cyber Security Engineer, Immersive

CVE-2025-59230, a vulnerability in RASMan (Remote Access Connection Manager) is featured in this month’s Patch Tuesday. This one should be high on the list of things to patch as it is flagged by Microsoft as being actively exploited in the wild. 

RasMan manages VPN and other remote network connections and runs with SYSTEM privileges - a compromise of the service grants an attacker code execution at the highest permission level. The flaw is an improper access control vulnerability: a local attacker with only low-level user rights can call RasMan’s service interfaces and trick the service into carrying out privileged operations on their behalf, effectively elevating their privileges to SYSTEM. 

It's recommended to apply Microsoft’s patches immediately. If an attacker exploits this vulnerability, they would have significant access to the operating system, where they could use their elevated permissions to do things like disable security tooling, create or edit accounts, dump credentials, and even potentially gain domain admin credentials, moving laterally across the network.