October Patch Tuesday beats January ’25 record

Microsoft on Tuesday announced 170 patches affecting 21 product families. Eight of the addressed issues are considered by Microsoft to be of Critical severity, and 18 have a CVSS base score of 8.0 or higher. Three are known to be under active exploit in the wild, and two others have been publicly disclosed.

At patch time, 12 CVEs are judged more likely to be exploited in the next 30 days by the company’s estimation, in addition to the two already detected to be so. Various of this month’s issues are amenable to direct detection by Sophos protections, and we include information on those in a table below.

In addition to the record-breaking patch count (surpassing the total of 159 set in January), there is a substantial set of advisory-only items in this month’s offering. For Edge, there are 14 patches released last week for Chrome that affect Microsoft’s browser. Two more CVEs are submitted by MITRE, including one item (MITRE CVE-2025-54957: Integer overflow in Dolby Digital Plus audio decoder) known to be under exploit in the wild. The Unity Gaming Engine Editor bug that has upended gamers around the world (CVE-2025-59489) touches 30 Microsoft games — though not Xbox consoles, Xbox Cloud Gaming, iOS, or the HoloLens.

Continuing the list of advisories, a Github-reported bug in Mermaid Diagram Tool affecting Visual Studio (CVE-2025-54132) could potentially be triggered either by a malicious attacker or an AI hallucination. Finally, eight CVEs affecting Azure, Entra, or various flavors of Copilot – all Critical-severity issues involved either elevation of privilege or spoofing – are announced as already patched, though little information about them was made available. We have included titles and CVEs for all of the advisory items in Appendix D.

We are as always including at the end of this post additional appendices listing all Microsoft’s patches sorted by severity, by predicted exploitability timeline and CVSS Base score, and by product family. Appendix E provides a breakout of the patches affecting the various Windows Server platforms still in support. This month, we also include a roundup of patches affecting the products leaving support this month, including Windows 10, Office 2016 and 2019, Exchange Server 2016 and 2019, and Visio 2016 and 2019. That information can be found in Appendix F.

By the numbers

• Total CVEs: 170
• Publicly disclosed: 2
• Exploit detected: 3
• Severity
  • Critical: 8
  • Important: 161
  • Moderate: 1
• Impact
  • Denial of Service: 11
  • Elevation of Privilege: 79
  • Information Disclosure: 26
  • Remote Code Execution: 31
  • Security Feature Bypass: 11
  • Spoofing: 11
  • Tampering: 1
• CVSS Base score 9.0 or higher: 3
• CVSS Base score 8.0 or greater: 15

Figure 1: The sheer volume of the October release is remarkable, but there are just six Critical-severity issues – four Remote Code Execution, two Elevation of Privilege

Products

• Windows: 132
• 365: 16
• Office: 16
• Excel: 7
• Azure: 6
• SharePoint: 6
• Exchange: 3
• Configuration Manager: 2
• .NET: 2
• Word: 2
• Access: 1
• ASP.NET: 1
• Defender for Linux: 1
• Dynamics 365: 1
• microsoft/playwright: 1
• PowerPoint: 1
• PowerShell: 1
• SQL: 1
• Visio: 1
• Visual Studio: 1
• Xbox Gaming System: 1

As is our custom for this list, CVEs that apply to more than one product family are counted once for each family they affect. We note, by the way, that CVE names don’t always reflect affected product families closely. In particular, some CVEs names in the Office family may mention products that don’t appear in the list of products affected by the CVE, and vice versa.

Figure 2: If only Windows CVEs were being released this month and nothing else, it would still be the fourth-largest Patch Tuesday in modern history

Notable October updates

In addition to the issues discussed above, a variety of specific items merit attention.

CVE-2025-24052 — Windows Agere Modem Driver Elevation of Privilege Vulnerability
CVE-2025-24990 — Windows Agere Modem Driver Elevation of Privilege Vulnerability
CVE-2025-47979 — Microsoft Failover Cluster Information Disclosure Vulnerability
CVE-2025-53717 — Windows Virtualization-Based Security (VBS) Enclave Elevation of Privilege Vulnerability

This quartet of Important-severity issues all require a bit of extra effort from administrators, and they reward (?) those who diligently keep their systems up to date year after year. The two modem-driver issues – one is already under active exploit, and the other has been publicly disclosed – affect only the specific Agere Modem driver (ltmdm64.sys), which ships natively in Windows, but the issue itself can be exploited via this vulnerability, even if your systems don’t use that soft-modem driver at all. Microsoft is deleting that driver from all versions of Windows as of this month’s updates, putting a quiet, strange end to tech that was cutting-edge (complete with a high-profile patent lawsuit) a generation ago. Meanwhile, Microsoft’s guidance on the Failover Cluster issue indicates that just patching might not be enough; just in case any sensitive information remains residual in system logs, the company advises administrators change their passwords. Finally, patching the VBS issue necessitated changes to various Virtual Secure Mode components; if you previously deployed the relevant policy a number of months ago, Microsoft has guidance for redeploying using the new policy.

CVE-2025-55340 – Windows Remote Desktop Protocol Security Feature Bypass
CVE-2025-59294 — Windows Taskbar Live Preview Information Disclosure Vulnerability

In a month in which the sheer volume of patches is nearly overwhelming, it can be refreshing to look into issues that hint at great ingenuity to find, replicate, and patch. The Important-severity RDP bug could have been far worse, except for the acrobatics necessary to trigger it: 1) The attacker must have access to a user’s machine; 2) the user must initiate an RDP session, and 3) the attack must be carried out within a certain amount of time from the initiation of the RDP session. Meanwhile, in CVE-2025-39294, exploiting the Important-severity Taskbar Live bug would require an attacker to 1) physically get their hands on a machine after its user has 2) hovered over a taskbar preview and then 3) immediately locked the screen or put the device to sleep. Not a bug that’s likely to see widespread abuse, and its CVSS Base score of 2.1 (!) reflects that, but it’s fascinating to think that it was discovered, re-created by the finders and again in Microsoft’s testing facilities, and ultimately fixed.

CVE-2025-53139 — Windows Hello Security Feature Bypass Vulnerability

There’s not a lot of information available on this Important-severity security feature bypass issue in Microsoft biometric authentication tool, but the note that the problem involves “cleartext transmission of sensitive information” by the tool is enough to inspire priority patching… and perhaps a fresh appreciation of something-you-know authentication options.

CVE-2025-58726 — Windows SMB Server Elevation of Privilege Vulnerability

If receiving over fourteen dozen patches in October has you feeling more tricked than treated, perhaps a Halloween ghost story is in order? This Important-severity elevation of privilege issue in SMB Server requires than an SPN (Service Principal Name) that is registered to an account that no longer exists, or is not in use, be available on the target machine. It’s even spookier when you remember that SPNs are of course used in Kerberos authentication… Kerberos, named for the three-headed canine guardian of the underworld. And if that’s not scary enough for you, three of this month’s other patches (CVE-2025-58379, CVE-2025-59208, CVE-2025-59295) invoke Internet Explorer, surely one of Microsoft’s most persistent poltergeists. Boo!

Figure 3: Microsoft has released patches for 1,023 CVEs in the course of the year’s ten Patch Tuesdays so far. Meanwhile, this is Tampering’s fourth appearance in the 2025 tallies

Sophos protections

As you can every month, if you don’t want to wait for your system to pull down Microsoft’s updates itself, you can download them manually from the Windows Update Catalog website. Run the winver.exe tool to determine which build of Windows you’re running, then download the Cumulative Update package for your specific system’s architecture and build number.

Appendix A: Vulnerability Impact and Severity

This is a list of October patches sorted by impact, then sub-sorted by severity. Each list is further arranged by CVE.

Elevation of Privilege (79 CVEs)

Remote Code Execution (31 CVEs)

Information Disclosure (26 CVEs)

Denial of Service (11 CVEs)

Security Feature Bypass (11 CVEs)

Spoofing (11 CVEs)

Tampering (1 CVE)

Appendix B: Exploitability and CVSS

This is a list of the October CVEs judged by Microsoft to be more likely to be exploited in the wild within the first 30 days post-release. The list is arranged by CVE.

The CVEs listed below were known to be under active exploit prior to the release of this month’s patches.

These are the October CVEs with a Microsoft-assessed CVSS Base score of 8.0 or higher. They are arranged by score and further sorted by CVE. For more information on how CVSS works, please see our series on patch prioritization schema.

Appendix C: Products Affected

This is a list of October’s patches sorted by product family, then sub-sorted by severity. Each list is further arranged by CVE. Patches that are shared among multiple product families are listed multiple times, once for each product family. Certain significant issues for which advisories have been issued are covered in Appendix D, and issues affecting Windows Server are further sorted in Appendix E. All CVE titles are accurate as made available by Microsoft; for further information on why certain products may appear in titles and not product families (or vice versa), please consult Microsoft.

Windows (132 CVEs)

365 (16 CVEs)

Office (16 CVEs)

Excel (7 CVEs)

Azure (6 CVEs)

SharePoint (6 CVEs)

Exchange (3 CVEs)

Configuration Manager (2 CVEs)

.NET (2 CVEs)

Visual Studio (2 CVEs)

Word (2 CVEs)

Access (1 CVE)

ASP.NET (1 CVE)

Defender for Linux (1 CVE)

Dynamics 365 (1 CVE)

microsoft/playwright (1 CVE)

PowerPoint (1 CVE)

PowerShell (1 CVE)

SQL (1 CVE)

Visio (1 CVE)

Xbox (1 CVE)

Appendix D: Advisories and Other Products

There are 14 Edge-related advisories in October’s release, all of which originated with Chrome.

This month also includes the periodic Servicing Stack Updates, ADV990001.

Three issues in this month’s release were brought to Microsoft’s attention by external entities and merit advisory information. The Dolby issue is known to be under active exploit in the wild.

Finally, Microsoft announced that eight more Critical-severity issues, affecting Azure, Entra, and Copilot, were patched prior to the Tuesday release:

Appendix E: Affected Windows Server versions

This is a table of the 129 CVEs in the October release affecting Windows Server versions 2008 through 2025. The table differentiates among major versions of the platform but doesn’t go into deeper detail (eg., Server Core). Critical-severity issues are marked in red; an “x” indicates that the CVE does not apply to that version. Administrators are encouraged to use this appendix as a starting point to ascertain their specific exposure, as each reader’s situation, especially as it concerns products out of mainstream support, will vary. For specific Knowledge Base numbers, please consult Microsoft.

For October, we have included in the chart the Windows Server information for CVE-2025-55248, which is a .NET / Visual Studio patch. The issue affects various versions of the .NET Framework, which in turn involves specific versions of Windows Server. We have marked this specific row in green. We encourage anyone who believes they are directly affected by this patch to consult Microsoft’s information on the CVE to determine specific exposure. (We did not count this CVE in the October total for Windows.)

Appendix F: Patches for products ending support in October 2025

The following tables list CVEs affecting products for which Microsoft is concluding support this month. Red indicates a Critical-severity issue.

Officially, this means that those products will no longer receive security updates, non-security updates, bug fixes, or technical support. History shows us that sometimes an issue is so significant as to cause a patch to be released for an end-of-life product, but by no means should users count on that happening with these products.

As a reminder, the specific versions of Windows 10 for which support is being withdrawn this month are:

• Windows 10 Enterprise & Education
• Windows 10 Enterprise LTSB 2015
• Windows 10 Home & Pro
• Windows 10 IoT Enterprise
• Windows 10 Team (Surface Hub)

For more information on the graduating class of October 2025, please see Microsoft’s information page.

For Windows 10, 96 farewell patches. The CVE noted in green is CVE-2025-55248, as explained in Appendix E: