CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 183 flaws

First reported
Last updated
5 unique sources, 9 articles

Summary

Hide ▲

Microsoft's October 2025 Patch Tuesday marks the end of free security updates for Windows 10, with the release of the final cumulative update KB5066791. This update addresses 183 vulnerabilities, including six zero-day flaws, and is mandatory for all Windows 10 users. Extended Security Updates (ESU) are available for purchase for up to three years for enterprise users and one year for consumers. The patches cover a range of vulnerabilities, including critical remote code execution and elevation of privilege issues. The zero-day vulnerabilities affect various components, such as Windows SMB Server, Microsoft SQL Server, Windows Agere Modem Driver, Windows Remote Access Connection Manager, AMD EPYC processors, and TCG TPM 2.0. Some of these flaws have been publicly disclosed or actively exploited. The update also includes fixes for vulnerabilities in third-party components, such as IGEL OS and AMD EPYC processors. Additionally, Microsoft Office users should be aware of CVE-2025-59227 and CVE-2025-59234, which exploit the Preview Pane. The update is the largest on record for Microsoft, with 183 CVEs, pushing the number of unique vulnerabilities released so far this year to more than 1,021. The update includes fixes for a wide range of vulnerabilities, including remote code execution (RCE), elevation of privilege, data theft, denial of service (DoS), and security feature bypass issues. The update also marks the end of life for Windows 10, meaning Microsoft will no longer issue regular patches for vulnerabilities in the operating system as part of its regular Patch Tuesday updates. Exchange Server 2016, Exchange Server 2019, Skype for Business 2016, Windows 11 IoT Enterprise Version 22H2, and Outlook 2016 are also reaching end-of-life. Windows 10 users can opt for Extended Security Updates (ESU) for one year at a cost of $30, or install Linux as an alternative. Linux Mint is recommended for Windows 10 users transitioning to Linux, with compatibility for most computers from the last decade. The October 2025 Windows security updates cause smart card authentication and certificate issues across all Windows 10, Windows 11, and Windows Server releases. The issue is due to a security fix designed to address a security feature bypass vulnerability (CVE-2024-30098) in the Windows Cryptographic Services. Affected users may experience various symptoms, including the inability to sign documents, failures in applications using certificate-based authentication, and smart cards not being recognized as CSP providers in 32-bit apps. The issue can be detected by the presence of Event ID 624 in the System event logs for the Smart Card Service prior to installing the October 2025 Windows security update. The fix is enabled by setting the DisableCapiOverrideForRSA registry key value to 1 to isolate cryptographic operations from the Smart Card implementation. Users experiencing authentication problems can manually resolve the issue by disabling the DisableCapiOverrideForRSA registry key. The DisableCapiOverrideForRSA registry key will be removed in April 2026, and users are advised to work with their application vendors to resolve the underlying problem. Microsoft also fixed another known issue breaking IIS websites and HTTP/2 localhost (127.0.0.1) connections after installing recent Windows security updates. Microsoft has released out-of-band (OOB) security updates for a critical-severity Windows Server Update Service (WSUS) vulnerability (CVE-2025-59287) with publicly available proof-of-concept exploit code. The vulnerability can be exploited remotely in low-complexity attacks that do not require user interaction, allowing threat actors without privileges to target vulnerable systems and run malicious code with SYSTEM privileges. Microsoft has released security updates for all impacted Windows Server versions, including Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012. Workarounds for admins who can't immediately install these emergency patches include disabling the WSUS Server Role or blocking all inbound traffic to Ports 8530 and 8531 on the host firewall. The OOB update supersedes all previous updates for affected versions, and users are advised to install it as soon as possible. A new Windows zero-day vulnerability allows attackers to crash the Remote Access Connection Manager (RasMan) service. The RasMan service is a critical Windows system service that runs with SYSTEM-level privileges. The zero-day flaw is a denial-of-service (DoS) vulnerability that affects all Windows versions, including Windows 7 through Windows 11 and Windows Server 2008 R2 through Server 2025. The flaw allows unprivileged users to crash the RasMan service due to a coding error in how it processes circular linked lists. ACROS Security provides free, unofficial security patches for this Windows RasMan zero-day via its 0patch micropatching service. The micropatch can be installed by creating an account and installing the 0Patch agent, which applies the patch automatically without requiring a restart.

Timeline

  1. 12.12.2025 13:28 1 articles · 23h ago

    New Windows RasMan zero-day flaw gets free, unofficial patches

    A new Windows zero-day vulnerability allows attackers to crash the Remote Access Connection Manager (RasMan) service. The RasMan service is a critical Windows system service that runs with SYSTEM-level privileges. The zero-day flaw is a denial-of-service (DoS) vulnerability that affects all Windows versions, including Windows 7 through Windows 11 and Windows Server 2008 R2 through Server 2025. The flaw allows unprivileged users to crash the RasMan service due to a coding error in how it processes circular linked lists. ACROS Security provides free, unofficial security patches for this Windows RasMan zero-day via its 0patch micropatching service. The micropatch can be installed by creating an account and installing the 0Patch agent, which applies the patch automatically without requiring a restart.

    Show sources
    Open in new tab
  2. 24.10.2025 10:27 1 articles · 1mo ago

    Microsoft releases out-of-band updates for critical WSUS vulnerability

    Microsoft has released out-of-band (OOB) security updates to address a critical-severity Windows Server Update Service (WSUS) vulnerability (CVE-2025-59287) with publicly available proof-of-concept exploit code. This vulnerability can be exploited remotely in low-complexity attacks, allowing threat actors to run malicious code with SYSTEM privileges. The update is available for all impacted Windows Server versions, and Microsoft advises immediate installation. Workarounds include disabling the WSUS Server Role or blocking specific ports on the host firewall. The OOB update supersedes all previous updates for affected versions.

    Show sources
    Open in new tab
  3. 15.10.2025 01:57 2 articles · 1mo ago

    Microsoft Office vulnerabilities CVE-2025-59227 and CVE-2025-59234 exploit Preview Pane

    CVE-2025-59227 and CVE-2025-59234 are remote code execution bugs in Microsoft Office that exploit the Preview Pane, allowing attackers to execute code without the target opening the file. This vulnerability requires social engineering to trick the target into previewing a malicious email with an Office document.

    Show sources
    Open in new tab
  4. 15.10.2025 01:57 2 articles · 1mo ago

    Microsoft Word automatically saves documents to OneDrive

    Microsoft Word will now automatically save documents to OneDrive, with an option to disable this feature in Word's settings. This change affects all users, and guidance is provided for those who prefer not to use OneDrive for document storage.

    Show sources
    Open in new tab
  5. 15.10.2025 01:57 2 articles · 1mo ago

    End-of-life for multiple Microsoft products, including Windows 10

    Exchange Server 2016, Exchange Server 2019, Skype for Business 2016, Windows 11 IoT Enterprise Version 22H2, and Outlook 2016 are also reaching end-of-life. Windows 10 users can opt for Extended Security Updates (ESU) for one year at a cost of $30, or install Linux as an alternative. Linux Mint is recommended for Windows 10 users transitioning to Linux, with compatibility for most computers from the last decade.

    Show sources
    Open in new tab
  6. 14.10.2025 21:02 9 articles · 1mo ago

    Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws

    The October 2025 Windows security updates cause smart card authentication and certificate issues across all Windows 10, Windows 11, and Windows Server releases. The issue is due to a security fix designed to address a security feature bypass vulnerability (CVE-2024-30098) in the Windows Cryptographic Services. Affected users may experience various symptoms, including the inability to sign documents, failures in applications using certificate-based authentication, and smart cards not being recognized as CSP providers in 32-bit apps. The issue can be detected by the presence of Event ID 624 in the System event logs for the Smart Card Service prior to installing the October 2025 Windows security update. The fix is enabled by setting the DisableCapiOverrideForRSA registry key value to 1 to isolate cryptographic operations from the Smart Card implementation. Users experiencing authentication problems can manually resolve the issue by disabling the DisableCapiOverrideForRSA registry key. The DisableCapiOverrideForRSA registry key will be removed in April 2026, and users are advised to work with their application vendors to resolve the underlying problem. Microsoft also fixed another known issue breaking IIS websites and HTTP/2 localhost (127.0.0.1) connections after installing recent Windows security updates. Microsoft has released out-of-band (OOB) security updates to address a critical-severity Windows Server Update Service (WSUS) vulnerability (CVE-2025-59287) with publicly available proof-of-concept exploit code. This vulnerability can be exploited remotely in low-complexity attacks, allowing threat actors to run malicious code with SYSTEM privileges. The update is available for all impacted Windows Server versions, and Microsoft advises immediate installation. Workarounds include disabling the WSUS Server Role or blocking specific ports on the host firewall. The OOB update supersedes all previous updates for affected versions. A new Windows zero-day vulnerability allows attackers to crash the Remote Access Connection Manager (RasMan) service. The RasMan service is a critical Windows system service that runs with SYSTEM-level privileges. The zero-day flaw is a denial-of-service (DoS) vulnerability that affects all Windows versions, including Windows 7 through Windows 11 and Windows Server 2008 R2 through Server 2025. The flaw allows unprivileged users to crash the RasMan service due to a coding error in how it processes circular linked lists. ACROS Security provides free, unofficial security patches for this Windows RasMan zero-day via its 0patch micropatching service. The micropatch can be installed by creating an account and installing the 0Patch agent, which applies the patch automatically without requiring a restart.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Microsoft December 2025 Patch Tuesday addresses 3 zero-days, 56 flaws

Microsoft's December 2025 Patch Tuesday addresses 56 vulnerabilities, including three zero-days. One zero-day (CVE-2025-62221) is actively exploited, allowing privilege escalation in Windows Cloud Files Mini Filter Driver. Two other zero-days (CVE-2025-64671, CVE-2025-54100) are publicly disclosed, affecting GitHub Copilot for JetBrains and PowerShell. The updates also fix 3 critical remote code execution vulnerabilities. Additionally, Microsoft released the KB5071546 extended security update for Windows 10 Enterprise LTSC and ESU program participants, addressing the same vulnerabilities and updating Windows 10 to build 19045.6691 and Windows 10 Enterprise LTSC 2021 to build 19044.6691. The update includes a fix for CVE-2025-54100, a remote code execution zero-day vulnerability in PowerShell, and introduces a confirmation prompt with a security warning for script execution risk when using the Invoke-WebRequest command in PowerShell 5.1. Microsoft patched a total of 1,275 CVEs in 2025, according to data compiled by Fortra. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-62221 to the Known Exploited Vulnerabilities (KEV) catalog, mandating FCEB agencies to apply the patch by December 30, 2025. The remaining two zero-days, CVE-2025-54100 and CVE-2025-64671, are part of a broader set of security vulnerabilities collectively named IDEsaster, affecting multiple AI coding platforms.

Open in new tab

Google Patches Two Exploited Android Framework Vulnerabilities

Google released December 2025 Android security updates addressing 107 vulnerabilities, including two Framework bugs (CVE-2025-48633, CVE-2025-48572) actively exploited in limited, targeted attacks. The updates also fixed a critical Framework flaw (CVE-2025-48631) enabling remote DoS without additional privileges. Patches are available in two levels (2025-12-01, 2025-12-05) for faster manufacturer adoption. The vulnerabilities affect Android versions 13, 14, 15, and 16, and the patches will address 56 additional vulnerabilities affecting Android components in the kernel or third-party components. Similar flaws in the past were used for targeted exploitation by commercial spyware or nation-state operations targeting a small number of high-interest individuals. The updates address four critical-severity fixes for elevation-of-privilege flaws in the Kernel's Pkvm and UOMMU subcomponents, and two critical fixes for Qualcomm-powered devices (CVE-2025-47319 and CVE-2025-47372). Samsung published its security bulletin, including ported fixes from the Google update and vendor-specific fixes. Devices on Android 10 and later may receive some crucial fixes via Google Play system updates. Play Protect can detect and block documented malware and attack chains, so users of any Android version should keep the component up to date and active.

Open in new tab

Microsoft to Strengthen Entra ID Sign-Ins Against Script Injection Attacks

Microsoft plans to enhance the security of Entra ID authentication by implementing a strengthened Content Security Policy (CSP) starting in mid-to-late October 2026. This update will allow script downloads only from Microsoft-trusted content delivery network domains and inline script execution only from Microsoft-trusted sources during sign-ins. The policy aims to protect users against cross-site scripting (XSS) attacks, where attackers inject malicious code to steal credentials or compromise systems. The update will apply only to browser-based sign-in experiences at URLs beginning with login.microsoftonline.com, excluding Microsoft Entra External ID. Microsoft urges organizations to test sign-in scenarios before the deadline to identify and address dependencies on code-injection tools. IT administrators can review sign-in flows in the browser developer console to identify violations. Enterprise customers are advised to stop using browser extensions and tools that inject code or scripts into sign-in pages before the change takes effect. This move is part of Microsoft's Secure Future Initiative (SFI), launched in November 2023, following a report by the Cyber Safety Review Board of the U.S. Department of Homeland Security. The initiative also includes updates to Microsoft 365 security defaults to block access to SharePoint, OneDrive, and Office files via legacy authentication protocols, and the disabling of all ActiveX controls in Windows versions of Microsoft 365 and Office 2024 apps. Additionally, Microsoft has expanded its bug bounty program to cover all online services, including third-party and open-source components, if they impact Microsoft online services. The company has paid over $17 million in bounty awards to 344 security researchers over the last 12 months, and another $16.6 million to 343 security researchers during the previous year. Microsoft has deployed over 50 new detections in its infrastructure to target high-priority tactics, techniques, and procedures. The adoption of phishing-resistant multi-factor authentication (MFA) for users and devices has hit 99.6%. Microsoft has enforced Mandatory MFA across all services, including for all Azure service users. The company has also introduced Automatic recovery capabilities via Quick Machine Recovery, expanded passkey and Windows Hello support, and improved memory safety in UEFI firmware and drivers by using Rust. Microsoft has migrated 95% of Microsoft Entra ID signing VMs to Azure Confidential Compute and moved 94.3% of Microsoft Entra ID security token validation to its standard identity Software Development Kit (SDK). The company has discontinued the use of Active Directory Federation Services (ADFS) in its productivity environment and decommissioned 560,000 additional unused and aged tenants and 83,000 unused Microsoft Entra ID apps across Microsoft production and productivity environments. Microsoft has advanced threat hunting by centrally tracking 98% of production infrastructure, achieved complete network device inventory and mature asset lifecycle management, and almost entirely locked code signing to production identities. The company has published 1,096 CVEs, including 53 no-action cloud CVEs, and paid out $17 million in bounties.

Open in new tab

Microsoft integrates Sysmon natively into Windows 11 and Server 2025

Microsoft announced the integration of Sysmon (System Monitor) natively into Windows 11 and Windows Server 2025, eliminating the need for standalone deployment. This integration will simplify management and enhance threat hunting and diagnostics capabilities. The native support will allow users to install Sysmon via Windows Update and manage it through the Optional Features settings. Microsoft also plans to release comprehensive documentation and introduce enterprise management features and AI-powered threat detection capabilities next year. Sysmon is a powerful tool for monitoring and logging events such as process creation, network connections, and file creation, which are crucial for detecting malicious activities. Users can enable Sysmon via the Command Prompt using the command 'sysmon -i' for basic monitoring, or use a custom configuration file for advanced monitoring.

Open in new tab

Critical Remote Command Execution Vulnerability Exploited in CentOS Web Panel

A critical remote command execution vulnerability (CVE-2025-48703) in CentOS Web Panel (CWP) is being actively exploited. The flaw allows unauthenticated attackers to execute arbitrary shell commands as a valid user. The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging federal entities to patch or discontinue use by November 25. The issue affects all CWP versions before 0.9.8.1204. The vulnerability was demonstrated in late June and reported to CWP on May 13. The fix was released on June 18 in version 0.9.8.1205. CISA did not provide details on the exploitation methods, targets, or origin of the malicious activity.

Open in new tab