Microsoft’s October 2025 Patch Tuesday delivers updates for 175 vulnerabilities across Windows, Office, Azure, Exchange Server, Visual Studio, and more. This month’s release includes two zero-day vulnerabilities already under active exploitation, and several critical remote code execution flaws rated up to CVSS 9.9.
With Windows 10 reaching end-of-support this month, IT teams face an especially important update cycle. Many of October’s vulnerabilities affect core identity, update, and kernel components, making prompt patching essential for maintaining system integrity.
Microsoft Patch Breakdown
The October 2025 Patch Tuesday release resolves 175 Microsoft vulnerabilities and republishes 21 non-Microsoft CVEs. Updates span key components including Windows 10 and 11, Windows Server 2019 and 2022, Azure Entra ID, Exchange, Office, SQL Server, Hyper-V, and Microsoft Defender.
Among the patched issues, Elevation of Privilege (62) and Remote Code Execution (46) vulnerabilities make up the majority, together representing over 60% of this month’s total CVEs. Microsoft also released fixes for Information Disclosure, Denial of Service, and Security Feature Bypass flaws, with several updates improving defense-in-depth protections.
Two vulnerabilities are confirmed to be under active exploitation:
CVE-2025-24990 – Agere Windows Modem Driver (CVSS 7.8): Local privilege escalation observed in active attacks.
CVE-2025-59230 – Windows Remote Access Connection Manager (CVSS 7.8): Privilege escalation exploited in the wild.
In addition, multiple high-severity vulnerabilities are rated “Exploitation More Likely” and should be treated as near zero-day risks, including:
CVE-2025-59246 – Azure Entra ID (CVSS 9.8): Network-based RCE.
CVE-2025-59287 – Windows Server Update Service (CVSS 9.8): Remote Code Execution.
CVE-2025-59502 – Windows RPC Service (CVSS 7.5): Remote Code Execution.
CVE-2025-55680 – Windows Cloud Files Mini Filter Driver (CVSS 7.8): Local Elevation of Privilege.
CVE-2025-59194 – Windows Kernel (CVSS 7.0): Local Elevation of Privilege.
CVE-2025-59199 – Software Protection Platform (CVSS 7.8): Elevation of Privilege.
The highest-rated vulnerabilities this month reach CVSS 9.9, impacting ASP.NET Core and Microsoft Graphics Component, both capable of enabling remote code execution through crafted input payloads.
Notable Third-Party Updates
Microsoft’s October release also republishes 21 non-Microsoft CVEs, including updates from Google Chrome, AMD, MITRE, GitHub, and CERT/CC. These patches cover a mix of browser, graphics driver, and open-source library vulnerabilities that could be exploited in cross-platform or third-party software environments.
Administrators should verify that third-party and firmware update policies remain active, since many of these updates do not install automatically via Windows Update.
Additionally, Hotpatching for Windows Server Azure Edition has reached general availability, improving uptime for virtualized workloads that require frequent patching. Microsoft also recommends ensuring that the latest Servicing Stack Update (ADV990001) is applied before deploying October’s security updates.
Prioritization Guidance
Given the number of critical vulnerabilities this month, patching efforts should begin with systems that are either Internet-facing or that manage authentication, updates, and remote access. Microsoft highlights several vulnerabilities as either actively exploited or “Exploitation More Likely,” all of which warrant patching within 72 hours.
1. Patch Immediately (Zero-Day and Active Exploits)
CVE-2025-24990 – Agere Windows Modem Driver (CVSS 7.8): Local privilege escalation observed in active attacks.
CVE-2025-59230 – Windows Remote Access Connection Manager (CVSS 7.8): Privilege escalation exploited in the wild.
2. Patch Within 72 Hours (High Priority)
Focus on cloud, collaboration, and remote services exposed to external access:
CVE-2025-59246 – Azure Entra ID (CVSS 9.8): Network-based RCE affecting identity infrastructure.
CVE-2025-59287 – Windows Server Update Service (CVSS 9.8): RCE exploitable remotely; critical for WSUS administrators.
CVE-2025-59218 – Azure Entra ID (CVSS 9.6): Authentication bypass.
CVE-2025-59228 / CVE-2025-59237 – SharePoint (CVSS 8.8): RCE vulnerabilities that could be triggered through crafted content uploads.
CVE-2025-58718 – Remote Desktop Client (CVSS 8.8): RCE via session data.
CVE-2025-59249 – Exchange Server (CVSS 8.8): RCE risk via crafted email content.
3. Patch Within 1–2 Weeks (Medium Priority)
Includes CVSS 7.0–7.9 vulnerabilities that are not yet exploited. These primarily impact Office, BitLocker, and Windows Kernel components. Address these as part of the next scheduled maintenance cycle once critical updates are deployed.
4. Regular Cycle (Lower Priority)
Vulnerabilities below CVSS 7.0 and marked “Exploitation Unlikely” can follow normal monthly patching cadence. These present minimal immediate risk for most environments but still contribute to long-term hardening.
How Splashtop AEM Can Help
October’s release highlights a familiar problem for IT teams: the gap between vulnerability disclosure and deployment. With 175 CVEs and multiple RCEs in play, those still relying on manual patching face real exposure. Splashtop AEM helps teams close that gap through automation, visibility, and intelligent prioritization.
1. Faster, Smarter Patching
Splashtop AEM applies OS and third-party updates in real time, so you don’t have to wait for overnight syncs or manual approvals. Policies can trigger automatically based on an event, schedule, or severity, reducing the window from discovery to remediation from days to hours. This makes Splashtop AEM an ideal patch management solution for any IT team.
2. Bridging the Gaps in Intune
If you’re using Microsoft Intune, Splashtop AEM complements it perfectly. Splashtop AEM enhances Intune by delivering:
Real-time patching that bypasses Intune’s multi-hour refresh delay
Broader coverage for apps like Chrome, Zoom, and Adobe
CVE-based visibility to prioritize critical risks immediately
3. A Lighter, Modern Alternative to Legacy RMMs
For organizations running older RMM tools, Splashtop AEM provides a simpler, faster approach. The platform includes dashboards, scripting, and ring-based deployments without the heavy setup or maintenance overhead.
4. Visibility That Drives Action
With Splashtop AEM’s vulnerability insights dashboard, teams can see every endpoint’s patch status, ranked by CVE severity and exploit likelihood. This makes it easy to focus on urgent threats, like this month’s Azure Entra ID and WSUS vulnerabilities, while maintaining long-term compliance across all systems.
Try Splashtop AEM Free
Patch management doesn’t have to be slow or reactive. With Splashtop AEM, IT teams can patch vulnerabilities the moment they’re disclosed, automate updates across every endpoint, and keep critical systems secure without added complexity.
Stay ahead of next month’s Patch Tuesday. Start your free trial of Splashtop AEM today.
