Microsoft October 2025 Patch Tuesday – 4 Zero-days and 172 Vulnerabilities Patched
Microsoft rolled out its October 2025 Patch Tuesday updates, addressing a staggering 172 vulnerabilities across its ecosystem, including four zero-day flaws, of which two are actively exploited in the wild.
This monthly security bulletin underscores the relentless pace of threat evolution, with critical remote code execution bugs in Office apps and elevation of privilege issues in Windows components dominating the fixes.
As organizations grapple with end-of-support deadlines for legacy systems like Windows 10, timely patching remains essential to mitigate risks from state-sponsored actors and cybercriminals.
Impact
Count
Elevation of Privilege
80
Remote Code Execution
31
Information Disclosure
28
Security Feature Bypass
11
Denial of Service
11
Spoofing
10
Tampering
1
Total
172
The updates target a broad array of products, from core Windows operating systems to Azure cloud services and the Microsoft Office suite.
Among the highlights, Microsoft patched CVE-2025-59234 and CVE-2025-59236, both use-after-free vulnerabilities in Microsoft Office and Excel that enable remote code execution when users open malicious files.
These flaws, rated critical with CVSS scores around 7.8, require no authentication and could allow attackers to gain full system control, potentially leading to data theft or ransomware deployment.
Similarly, CVE-2025-49708 in the Microsoft Graphics Component exposes systems to privilege escalation over networks, exploiting memory corruption to bypass security boundaries.
Critical Vulnerabilities Patched
Several critical entries demand immediate attention due to their potential for widespread exploitation.
For instance, CVE-2025-59291 and CVE-2025-59292 involve external control of file paths in Azure Container Instances and Compute Gallery, allowing authorized attackers to escalate privileges locally and potentially compromise cloud workloads.
These elevation of privilege bugs, also critical, highlight ongoing risks in hybrid environments where misconfigurations amplify impact.
Another vulnerability is CVE-2016-9535, a long-standing LibTIFF heap buffer overflow re-addressed in this cycle, which could trigger remote code execution in image-processing scenarios, affecting legacy apps still in use.
The zero-days add urgency: CVE-2025-2884, an out-of-bounds read in TCG TPM2.0 reference implementation, stems from inadequate validation in cryptographic signing functions, leading to information disclosure. Publicly known via CERT/CC, it affects trusted platform modules integral to secure boot processes.
Meanwhile, CVE-2025-47827 enables Secure Boot bypass in IGEL OS versions before 11 through improper signature verification, allowing crafted root filesystems to mount unverified images as a vector for persistent malware.
CVE-2025-59230, another exploited flaw in Windows Remote Access Connection Manager, involves improper access controls for local privilege escalation.
Microsoft confirms no public exploits for most others, but the duo’s active abuse by threat actors, such as nation-state groups, necessitates rapid deployment.
Deserialization issues in Windows Server Update Service (CVE-2025-59287) further elevate concerns, permitting unauthenticated remote code execution over networks, a prime target for supply-chain attacks.
In total, the bulletin includes 11 critical remote code executions and elevations, with many tied to memory safety errors like use-after-free and buffer overflows prevalent in older codebases.
Azure-specific fixes, such as those in CVE-2025-59285 for the Monitor Agent, address deserialization risks that could expose monitoring data to tampering.
Other Important Vulnerabilities Patched
Beyond criticals, 150+ important vulnerabilities cover elevation of privilege (over 60), information disclosure (around 30), and denial-of-service flaws.
Repeated patterns emerge in Windows PrintWorkflowUserSvc (CVE-2025-55684 through 55691), where use-after-free bugs allow local attackers to gain higher privileges during print operations, a common vector in enterprise printing environments.
Windows Kernel vulnerabilities like CVE-2025-55693 and CVE-2025-59187 involve improper input validation, potentially leaking kernel memory, or enabling ring-0 access.
Spoofing risks appear in CVE-2025-59239 for File Explorer and CVE-2025-59248 for Exchange Server, where flawed validation could trick users into executing malicious actions or bypassing authentication.
BitLocker’s CVE-2025-55682 exposes a security feature bypass via physical attacks, underscoring hardware-software interplay vulnerabilities.
For cloud users, Azure Arc and Connected Machine Agent fixes (CVE-2025-58724) mitigate local escalations from access control lapses. Denial-of-service bugs, such as CVE-2025-55698 in DirectX and CVE-2025-58729 in Local Session Manager, could disrupt services through null dereferences or invalid inputs.
CVE ID
Vulnerability Details
Type
Severity
CVE-2016-9535
tif_predict.h and tif_predict.c in libtiff 4.0.6 have assertions that can lead to assertion failures in debug mode, or buffer overflows in release mode, when dealing with unusual tile size like YCbCr with subsampling. Reported as MSVR 35105, aka “Predictor heap-buffer-overflow.”
Remote Code Execution
Critical
CVE-2025-2884
CVE-2025-2884 is regarding a vulnerability in CG TPM2.0 Reference implementation’s CryptHmacSign helper function that is vulnerable to Out-of-Bounds read due to the lack of validation the signature scheme with the signature key’s algorithm.
Information Disclosure
Important
CVE-2025-47827
In IGEL OS before 11, Secure Boot can be bypassed because the igel-flash-driver module improperly verifies a cryptographic signature. Ultimately, a crafted root filesystem can be mounted from an unverified SquashFS image.
Security Feature Bypass
Important
CVE-2025-49708
Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges over a network.
Elevation of Privilege
Critical
CVE-2025-55680
Time-of-check time-of-use (toctou) race condition in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-55682
Improper enforcement of behavioral workflow in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.
Security Feature Bypass
Important
CVE-2025-55683
Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally.
Information Disclosure
Important
CVE-2025-55684
Use-after-free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-55688
Use-after-free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-55690
Use-after-free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-55691
Use after free in Windows PrintWorkflowUserSvc allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-55692
Improper input validation in Windows Error Reporting allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-55693
Use after free in Windows Kernel allows an unauthorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-55694
Improper access control in Windows Error Reporting allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-55695
Out-of-bounds read in Windows WLAN Auto Config Service allows an authorized attacker to disclose information locally.
Information Disclosure
Important
CVE-2025-55696
Time-of-check time-of-use (toctou) race condition in NtQueryInformation Token function (ntifs.h) allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-55697
Heap-based buffer overflow in Azure Local allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-55698
Null pointer dereference in Windows DirectX allows an authorized attacker to deny service over a network.
Denial of Service
Important
CVE-2025-55699
Exposure of sensitive information to an unauthorized actor in Windows Kernel allows an authorized attacker to disclose information locally.
Information Disclosure
Important
CVE-2025-58714
Improper access control in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-58718
Use after free in Remote Desktop Client allows an unauthorized attacker to execute code over a network.
Remote Code Execution
Important
CVE-2025-58720
Use of a cryptographic primitive with a risky implementation in Windows Cryptographic Services allows an authorized attacker to disclose information locally.
Information Disclosure
Important
CVE-2025-58724
Improper access control in Azure Connected Machine Agent allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-58725
Heap-based buffer overflow in Windows COM allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-58726
Improper access control in Windows SMB Server allows an authorized attacker to elevate privileges over a network.
Elevation of Privilege
Important
CVE-2025-58727
Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Connected Devices Platform Service allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-58729
Improper validation of specified type of input in Windows Local Session Manager (LSM) allows an authorized attacker to deny service over a network.
Denial of Service
Important
CVE-2025-58730
Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally.
Remote Code Execution
Important
CVE-2025-58731
Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally.
Remote Code Execution
Important
CVE-2025-58733
Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally.
Remote Code Execution
Important
CVE-2025-58734
Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally.
Remote Code Execution
Important
CVE-2025-58736
Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally.
Remote Code Execution
Important
CVE-2025-58737
Use after free in Windows Remote Desktop allows an unauthorized attacker to execute code locally.
Remote Code Execution
Important
CVE-2025-58738
Use after free in Inbox COM Objects allows an unauthorized attacker to execute code locally.
Remote Code Execution
Important
CVE-2025-58739
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.
Spoofing
Important
CVE-2025-59184
Exposure of sensitive information to an unauthorized actor in Windows High Availability Services allows an authorized attacker to disclose information locally.
Information Disclosure
Important
CVE-2025-59187
Improper input validation in Windows Kernel allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-59188
Exposure of sensitive information to an unauthorized actor in Windows Failover Cluster allows an authorized attacker to disclose information locally.
Information Disclosure
Important
CVE-2025-59189
Use after free in Microsoft Brokering File System allows an unauthorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-59190
Improper input validation in Microsoft Windows Search Component allows an unauthorized attacker to deny service locally.
Denial of Service
Important
CVE-2025-59191
Heap-based buffer overflow in Connected Devices Platform Service (Cdpsvc) allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-59192
Buffer over-read in Storport.sys Driver allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-59193
Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Management Services allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-59194
Use of uninitialized resource in Windows Kernel allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-59197
Insertion of sensitive information into log file in Windows ETL Channel allows an authorized attacker to disclose information locally.
Information Disclosure
Important
CVE-2025-59198
Improper input validation in Microsoft Windows Search Component allows an authorized attacker to deny service locally.
Denial of Service
Important
CVE-2025-59203
Insertion of sensitive information into log file in Windows StateRepository API allows an authorized attacker to disclose information locally.
Information Disclosure
Important
CVE-2025-59205
Concurrent execution using shared resource with improper synchronization (‘race condition’) in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-59208
Out-of-bounds read in Windows MapUrlToZone allows an unauthorized attacker to disclose information over a network.
Information Disclosure
Important
CVE-2025-59209
Exposure of sensitive information to an unauthorized actor in Windows Push Notification Core allows an authorized attacker to disclose information locally.
Information Disclosure
Important
CVE-2025-59210
Elevation of Privilege in Windows Resilient File System (ReFS) Deduplication Service.
Elevation of Privilege
Important
CVE-2025-59213
Improper neutralization of special elements used in an sql command (‘sql injection’) in Microsoft Configuration Manager allows an unauthorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-59214
Exposure of sensitive information to an unauthorized actor in Windows File Explorer allows an unauthorized attacker to perform spoofing over a network.
Spoofing
Important
CVE-2025-59221
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Remote Code Execution
Important
CVE-2025-59222
Use after free in Microsoft Office Word allows an unauthorized attacker to execute code locally.
Remote Code Execution
Important
CVE-2025-59223
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Remote Code Execution
Important
CVE-2025-59224
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Remote Code Execution
Important
CVE-2025-59225
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Remote Code Execution
Important
CVE-2025-59226
Use after free in Microsoft Office Visio allows an unauthorized attacker to execute code locally.
Remote Code Execution
Important
CVE-2025-59227
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
Remote Code Execution
Critical
CVE-2025-59229
Uncaught exception in Microsoft Office allows an unauthorized attacker to deny service locally.
Denial of Service
Important
CVE-2025-59230
Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-59232
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to disclose information locally.
Information Disclosure
Important
CVE-2025-59234
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally.
Remote Code Execution
Critical
CVE-2025-59236
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
Remote Code Execution
Critical
CVE-2025-59238
Use after free in Microsoft Office PowerPoint allows an unauthorized attacker to execute code locally.
Remote Code Execution
Important
CVE-2025-59241
Improper link resolution before file access (‘link following’) in Windows Health and Optimized Experiences Service allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-59244
External control of file name or path in Windows Core Shell allows an unauthorized attacker to perform spoofing over a network.
Spoofing
Important
CVE-2025-59248
Improper input validation in Microsoft Exchange Server allows an unauthorized attacker to perform spoofing over a network.
Spoofing
Important
CVE-2025-59253
Improper access control in Microsoft Windows Search Component allows an authorized attacker to deny service locally.
Denial of Service
Important
CVE-2025-59260
Exposure of sensitive information to an unauthorized actor in Microsoft Failover Cluster Virtual Driver allows an authorized attacker to disclose information locally.
Information Disclosure
Important
CVE-2025-59261
Time-of-check time-of-use (toctou) race condition in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-59275
Improper validation of specified type of input in Windows Authentication Methods allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-59278
Improper validation of specified type of input in Windows Authentication Methods allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-59285
Deserialization of untrusted data in Azure Monitor Agent allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-59287
Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.
Remote Code Execution
Critical
CVE-2025-59288
Improper verification of cryptographic signature in GitHub allows an unauthorized attacker to perform spoofing over an adjacent network.
Spoofing
Moderate
CVE-2025-59289
Double free in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Important
CVE-2025-59291
External control of file name or path in Confidential Azure Container Instances allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Critical
CVE-2025-59292
External control of file name or path in Confidential Azure Container Instances allows an authorized attacker to elevate privileges locally.
Elevation of Privilege
Critical
CVE-2025-59497
Time-of-check time-of-use (toctou) race condition in Microsoft Defender for Linux allows an authorized attacker to deny service locally.
Denial of Service
Important
CVE-2025-59502
Uncontrolled resource consumption in Windows Remote Procedure Call allows an unauthorized attacker to deny service over a network.
Denial of Service
Moderate
This Patch Tuesday coincides with Windows 10’s end-of-support on October 14, 2025, amplifying the stakes for unpatched legacy deployments.
Microsoft urges enabling automatic updates via Windows Update or WSUS, prioritizing criticals like Office RCEs first. For enterprises, vulnerability management tools can scan for affected versions, such as Office 2016-2021 or Windows 10/11 builds pre-KB503 something.
No proof-of-concept code is publicly available for most, but indicators of compromise include anomalous Office crashes or Azure log anomalies. Experts recommend segmenting networks and monitoring for exploitation attempts post-patch.
