Windows 10 Final Patch Tuesday Fixes 6 Zero-Day Flaws

System administrators face a demanding October following Microsoft’s release of security updates addressing 172 vulnerabilities, including six classified as zero-day threats. Three of these zero-day flaws are already under active exploitation, demanding immediate attention from IT teams responsible for maintaining system integrity.

One critical issue, CVE-2025-59230, represents a local elevation of privilege vulnerability within the Windows Remote Access Connection Manager. Security experts emphasize that this flaw requires no user interaction, making it particularly dangerous. Adam Barnett, a lead software engineer at Rapid7, noted that this vulnerability will quickly become a standard component in attacker toolkits, despite limited public details about its exploitation methods.

Another actively exploited zero-day, CVE-2025-24990, involves an elevation of privilege vulnerability in the third-party Agere Modem driver (ltmdm64.sys) that ships with Windows. Microsoft took the unusual step of completely removing this driver rather than attempting to patch it. Ben McCarthy, a lead cybersecurity engineer at Immersive, explained that this driver originates from hardware designed in the late 1990s and early 2000s, predating modern secure development practices. Kernel-mode drivers operate with the highest system privileges, making them prime targets for attackers seeking to escalate access. The decision to remove rather than patch reflects the significant risks associated with modifying unsupported legacy code, where patch attempts might introduce system instability or fail to fully resolve security issues.

The third actively exploited zero-day, CVE-2025-47827, constitutes a secure boot bypass vulnerability affecting IGEL OS, a third-party operating system designed for virtual desktop infrastructure. Kev Breen, senior director of threat research at Immersive, indicated that a proof of concept for this vulnerability has been publicly available since May, simplifying exploitation efforts. While this attack typically requires physical access rather than remote execution, it enables threat actors to deploy kernel-level rootkits that can compromise virtual desktops and capture credentials. This makes the vulnerability particularly concerning for frequently traveling employees who might be targeted through “evil-maid” style attacks where physical device access is obtained.

Three additional zero-day vulnerabilities have been publicly disclosed though not yet exploited in active campaigns. CVE-2025-0033 represents a critical vulnerability in AMD EPYC processors utilizing Secure Encrypted Virtualization – Secure Nested Paging (SEV-SNP), for which no patch currently exists. CVE-2025-24052 involves another elevation of privilege bug in the Agere Modem driver, similar to the previously mentioned CVE-2025-24990. CVE-2025-2884 constitutes an out-of-bounds read vulnerability in TCG TPM2.0 that could lead to information disclosure or denial of service scenarios.

This security update cycle marks the final Patch Tuesday where Windows 10 users receive free updates. Moving forward, both consumer and business customers must enroll in Microsoft’s Extended Security Updates (ESU) program to continue receiving critical security patches, representing a significant shift in Microsoft’s support policy for the aging operating system.

(Source: InfoSecurity Magazine)