Microsoft’s October 2025 Patch Tuesday: up to 6 zero-days fixed, ~172–193 flaws patched

Introduction — what happened and why it matters

Microsoft’s October 2025 Patch Tuesday is one of the year’s largest. Depending on how vendors count (Microsoft-only vs. including non-Microsoft and Edge/Chromium items), the release addresses roughly 172 to 193 vulnerabilities and up to six zero-days, with at least two to three already exploited in the wild. Notably, this cycle coincides with the official end of support for Windows 10 on October 14, 2025, raising the stakes for any estates that haven’t migrated or enrolled in ESU.

In brief

• Total CVEs: reports vary between ~172 and ~193 (methodology differs).
• Zero-days: up to 6; several are actively exploited (notably in a legacy Agere modem driver).
• Highlighted components: Windows kernel & drivers (incl. ltmdm64.sys), NTFS, Cloud Files Mini Filter, NTLM, RDP/RDS, LSM, BitLocker, and more.
• Why urgency increased: Windows 10 EoS; unpatched Windows 10 devices will not receive fixes without ESU enrollment.

Context / history / connections

Patch Tuesday volume has seesawed in 2025, but October surpasses January’s record according to multiple industry trackers. The bigger story is operational: Windows 10 is now out of support for organizations not in ESU, creating a bifurcation where identical vulnerabilities are fixed on supported branches but persist on legacy endpoints—an exposure adversaries are quick to commoditize.

Technical analysis / details of the vulnerability set

Zero-days & high-signal items

1. CVE-2025-24990 – Windows Agere Modem driver (ltmdm64.sys), Elevation of Privilege
   • Status: Exploited in the wild; Microsoft removed the vulnerable driver in the October cumulative update.
   • Impact: Local privilege escalation to admin/SYSTEM; legacy fax-modem hardware dependent on this driver will stop working post-patch.
2. CVE-2025-24052 – Windows Agere Modem driver, Elevation of Privilege
   • Status: Publicly disclosed this month; related to the same legacy driver family.
3. Additional zero-days (counts vary by source, some include Edge/Chromium and non-Microsoft CVEs). Several reports note 3 actively exploited issues overall this month.

Other notable Windows components touched

• File systems & storage: NTFS privilege escalations; Cloud Files Mini Filter info-leak/EoP.
• Auth & crypto: NTLM hardening and BitLocker security-feature bypass fixes.
• Remote stack: RDP/RDS security-feature bypass and related issues.
• Core services: Local Session Manager (LSM) and Device Association Broker EoP fixes among others surfaced by vendor roundups.

Why the numbers don’t match:

• Some vendors count Microsoft CVEs only; others add non-Microsoft issues released the same day.
• Some include Edge/Chromium items addressed between Patch Tuesdays.
• Publication cut-off times differ. Expect totals like 172 (BleepingComputer), 175+ (Talos), 167 (Tenable), or 193 (Qualys) in analyst posts.

Practical consequences / risks

• Privilege escalation chains: The Agere driver bugs are ideal for post-exploitation (e.g., after phishing or browser footholds) to move from user to SYSTEM—boosting ransomware deployment speed and EDR evasion.
• Legacy device fragility: Patching removes ltmdm64.sys; attached fax/modem hardware will cease to function, potentially breaking back-office workflows still relying on fax. Plan contingency.
• Windows 10 EoS exposure: Unpatched Windows 10 hosts become permanent soft targets absent ESU, especially where RDP or legacy protocols remain exposed.

Operational recommendations — what to do next

0–90 minutes (today)

1. Prioritize deployment to: internet-exposed servers, VDI/RDS, domain controllers, and all laptop/privileged endpoints.
2. Block/retire fax-modem usage; confirm removal of ltmdm64.sys after patching (inventory for “Agere/ltmdm64” artifacts).
3. Mitigate privilege-escalation blast radius: ensure Credential Guard/LSA protections on supported SKUs; strip local admin where feasible.

24–72 hours
4. Windows 10 strategy: either enroll in ESU or accelerate migration to Windows 11; isolate any stragglers via VLAN/Firewall, remove RDP exposure, enforce AppLocker/WDAC.
5. Verify BitLocker and NTLM hardening baselines align with new updates; review GPOs for changes noted this month.
6. Threat-hunt for Agere exploitation: look for suspicious loads of ltmdm64.sys, unexpected fax service activity, or post-exploitation toolmarks paired with recent privilege jumps.

Hardening & hygiene

• Remove legacy drivers/devices not required for business operations.
• Restrict driver installs to signed, approved vendors (Device Installation Restrictions).
• Patch orchestration: ring-based rollout with post-patch health checks for print, storage, and RDP stacks.

Differences / comparisons with other cases

Compared to typical Patch Tuesdays in 2025 (e.g., May: 78 CVEs), October’s release is significantly larger and features an unusual third-party driver embedded in Windows as a primary zero-day vector—reminiscent of past vulnerable kernel-mode drivers abused for EoP, but rarer now due to driver signing and HVCI.

Summary / key takeaways

• Patch now: This is a high-urgency cycle with active exploitation.
• Expect breakage if you still use legacy fax/modem hardware; plan alternatives.
• Decide Windows 10’s fate immediately: ESU or accelerate migration.
• Harden against EoP chains: reduce local admin, enable kernel protections, and monitor for driver abuse.

Sources / bibliography

• BleepingComputer — Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws (Oct 15, 2025). (BleepingComputer)
• Cisco Talos — Microsoft Patch Tuesday for October 2025 — Snort rules and prominent vulnerabilities (Oct 14–15, 2025). (Cisco Talos Blog)
• Rapid7 — Patch Tuesday – October 2025 (Oct 14, 2025). (Rapid7)
• Tenable Research — Microsoft’s October 2025 Patch Tuesday addresses 167 CVEs (Oct 14, 2025). (Tenable®)
• Qualys Research — Microsoft & Adobe Patch Tuesday, October 2025 Security Update Review (Oct 15, 2025). (Qualys)