Microsoft Fixes 3 Actively Exploited Zero-Day Vulnerabilities

Microsoft has urgently addressed three actively exploited zero-day vulnerabilities among over 175 security flaws patched in its October 2025 Patch Tuesday release. These critical weaknesses, identified as CVE-2025-24990, CVE-2025-59230, and CVE-2025-47827, are already being leveraged by attackers in real-world campaigns, making immediate patching essential for all affected systems.

The trio of exploited vulnerabilities presents an unusual combination of security risks. CVE-2025-24990 exists within a third-party driver (ltmdm64.sys) for the Agere Modem, software traditionally used for dial-up internet and fax transmission. This vulnerable driver previously came pre-installed on all Windows systems, enabling attackers to obtain administrator privileges even when the modem hardware remains unused. Security researcher Fabian Mosch suggested the flaw might have been utilized for evading endpoint detection and response systems.

Dustin Childs, who leads threat awareness at Trend Micro’s Zero Day Initiative, emphasized the widespread nature of this threat. “Given that the vulnerable files exist on every Windows installation, organizations should consider this a broad attack and implement updates promptly,” he recommended. Microsoft has completely removed the problematic driver through the October cumulative update, though this action permanently disables fax modem functionality dependent on that specific driver. Another privilege escalation vulnerability in the same driver, CVE-2025-24052, has been simultaneously resolved through this removal, though it wasn’t actively exploited.

CVE-2025-59230 represents an elevation of privilege vulnerability impacting Windows Remote Access Connection Manager, commonly known as RasMan. This service handles both dial-up and VPN connections across all supported Windows and Windows Server versions. According to Satnam Narang, a senior staff research engineer at Tenable, “While RasMan has appeared in more than twenty Patch Tuesday updates since January 2022, this marks the first instance where it’s been exploited in the wild as a zero-day vulnerability.” The flaw permits attackers to escalate their privileges to SYSTEM level, effectively granting them complete control over compromised machines.

The third actively exploited zero-day, CVE-2025-47827, affects IGEL OS versions prior to 11, allowing threat actors to bypass Secure Boot protections. IGEL OS typically repurposes Windows computers as securely managed thin clients for virtual desktop environments, kiosks, and specialized devices frequently deployed in healthcare, education, and retail settings. Kev Breen, Immersive’s senior director of threat research, explained the serious implications: “A Secure Boot bypass can enable significant damage, as attackers might deploy kernel-level rootkits to access the IGEL OS itself and subsequently compromise virtual desktops, including credential theft.” He noted that physical access typically becomes necessary for exploitation, making “evil-maid” attacks the most probable vector targeting frequently traveling employees.

Beyond the zero-days, several other vulnerabilities demand prompt attention. Childs highlighted CVE-2025-59287 as particularly concerning for Windows Server Update Service users. “This represents a wormable vulnerability between affected WSUS servers,” he warned. “Given WSUS’s critical role in organizational infrastructure, it presents an attractive target for malicious actors.” Breen added that because WSUS operates as a trusted Windows service, attackers might evade some endpoint detection systems that automatically exclude it from scrutiny.

Narang pointed Office users toward CVE-2025-59227 and CVE-2025-59234, two remote code execution vulnerabilities that exploit the Preview Pane feature. The concerning aspect involves exploitation occurring without users needing to open malicious files. Additionally, CVE-2025-55315 presents a critical Security Feature Bypass in ASP.NET Core, earning a 9.9 CVSS score despite Microsoft assessing its exploitation as less probable. Ben McCarthy, lead cybersecurity engineer at Immersive, justified the high rating: “Attackers can exploit this with remarkable ease, and considering its likely presence in numerous externally-facing ASP.NET applications, the severity rating appears warranted.” He recommended organizations test their code compatibility with newer ASP.NET versions before proceeding with upgrades.

This month also brings significant end-of-support milestones. Microsoft concludes support for Windows 10 alongside Office 2016 and 2019, plus Exchange Server 2016 and 2019. Office users can transition to Office 2024, subscribe to Microsoft 365, or consider alternatives like LibreOffice or WPS Office. Exchange users face choices between migrating to cloud-based Exchange, upgrading to Exchange Server Subscription Edition for maintained data control, or switching to completely different mail platforms. Windows 10 users and enterprises have multiple paths forward: enrolling in the Extended Security Updates program (with European users receiving more favorable terms), upgrading to Windows 11, remaining on Windows 10 with micropatching solutions, or transitioning to alternative operating systems entirely.

Organizations should prioritize deploying these critical patches while evaluating their upgrade strategies for soon-to-be-unsupported software. The combination of actively exploited vulnerabilities and approaching end-of-support deadlines creates a particularly urgent security landscape requiring immediate attention from IT teams worldwide.

(Source: HelpNet Security)