CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 183 flaws

First reported
Last updated
5 unique sources, 8 articles

Summary

Hide ▲

Microsoft's October 2025 Patch Tuesday marks the end of free security updates for Windows 10, with the release of the final cumulative update KB5066791. This update addresses 183 vulnerabilities, including six zero-day flaws, and is mandatory for all Windows 10 users. Extended Security Updates (ESU) are available for purchase for up to three years for enterprise users and one year for consumers. The patches cover a range of vulnerabilities, including critical remote code execution and elevation of privilege issues. The zero-day vulnerabilities affect various components, such as Windows SMB Server, Microsoft SQL Server, Windows Agere Modem Driver, Windows Remote Access Connection Manager, AMD EPYC processors, and TCG TPM 2.0. Some of these flaws have been publicly disclosed or actively exploited. The update also includes fixes for vulnerabilities in third-party components, such as IGEL OS and AMD EPYC processors. Additionally, Microsoft Office users should be aware of CVE-2025-59227 and CVE-2025-59234, which exploit the Preview Pane. The update is the largest on record for Microsoft, with 183 CVEs, pushing the number of unique vulnerabilities released so far this year to more than 1,021. The update includes fixes for a wide range of vulnerabilities, including remote code execution (RCE), elevation of privilege, data theft, denial of service (DoS), and security feature bypass issues. The update also marks the end of life for Windows 10, meaning Microsoft will no longer issue regular patches for vulnerabilities in the operating system as part of its regular Patch Tuesday updates. Exchange Server 2016, Exchange Server 2019, Skype for Business 2016, Windows 11 IoT Enterprise Version 22H2, and Outlook 2016 are also reaching end-of-life. Windows 10 users can opt for Extended Security Updates (ESU) for one year at a cost of $30, or install Linux as an alternative. Linux Mint is recommended for Windows 10 users transitioning to Linux, with compatibility for most computers from the last decade. The October 2025 Windows security updates cause smart card authentication and certificate issues across all Windows 10, Windows 11, and Windows Server releases. The issue is due to a security fix designed to address a security feature bypass vulnerability (CVE-2024-30098) in the Windows Cryptographic Services. Affected users may experience various symptoms, including the inability to sign documents, failures in applications using certificate-based authentication, and smart cards not being recognized as CSP providers in 32-bit apps. The issue can be detected by the presence of Event ID 624 in the System event logs for the Smart Card Service prior to installing the October 2025 Windows security update. The fix is enabled by setting the DisableCapiOverrideForRSA registry key value to 1 to isolate cryptographic operations from the Smart Card implementation. Users experiencing authentication problems can manually resolve the issue by disabling the DisableCapiOverrideForRSA registry key. The DisableCapiOverrideForRSA registry key will be removed in April 2026, and users are advised to work with their application vendors to resolve the underlying problem. Microsoft also fixed another known issue breaking IIS websites and HTTP/2 localhost (127.0.0.1) connections after installing recent Windows security updates. Microsoft has released out-of-band (OOB) security updates for a critical-severity Windows Server Update Service (WSUS) vulnerability (CVE-2025-59287) with publicly available proof-of-concept exploit code. The vulnerability can be exploited remotely in low-complexity attacks that do not require user interaction, allowing threat actors without privileges to target vulnerable systems and run malicious code with SYSTEM privileges. Microsoft has released security updates for all impacted Windows Server versions, including Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012. Workarounds for admins who can't immediately install these emergency patches include disabling the WSUS Server Role or blocking all inbound traffic to Ports 8530 and 8531 on the host firewall. The OOB update supersedes all previous updates for affected versions, and users are advised to install it as soon as possible.

Timeline

  1. 24.10.2025 10:27 1 articles · 23h ago

    Microsoft releases out-of-band updates for critical WSUS vulnerability

    Microsoft has released out-of-band (OOB) security updates to address a critical-severity Windows Server Update Service (WSUS) vulnerability (CVE-2025-59287) with publicly available proof-of-concept exploit code. This vulnerability can be exploited remotely in low-complexity attacks, allowing threat actors to run malicious code with SYSTEM privileges. The update is available for all impacted Windows Server versions, and Microsoft advises immediate installation. Workarounds include disabling the WSUS Server Role or blocking specific ports on the host firewall. The OOB update supersedes all previous updates for affected versions.

    Show sources
    Open in new tab
  2. 15.10.2025 01:57 2 articles · 10d ago

    Microsoft Office vulnerabilities CVE-2025-59227 and CVE-2025-59234 exploit Preview Pane

    CVE-2025-59227 and CVE-2025-59234 are remote code execution bugs in Microsoft Office that exploit the Preview Pane, allowing attackers to execute code without the target opening the file. This vulnerability requires social engineering to trick the target into previewing a malicious email with an Office document.

    Show sources
    Open in new tab
  3. 15.10.2025 01:57 2 articles · 10d ago

    Microsoft Word automatically saves documents to OneDrive

    Microsoft Word will now automatically save documents to OneDrive, with an option to disable this feature in Word's settings. This change affects all users, and guidance is provided for those who prefer not to use OneDrive for document storage.

    Show sources
    Open in new tab
  4. 15.10.2025 01:57 2 articles · 10d ago

    End-of-life for multiple Microsoft products, including Windows 10

    Exchange Server 2016, Exchange Server 2019, Skype for Business 2016, Windows 11 IoT Enterprise Version 22H2, and Outlook 2016 are also reaching end-of-life. Windows 10 users can opt for Extended Security Updates (ESU) for one year at a cost of $30, or install Linux as an alternative. Linux Mint is recommended for Windows 10 users transitioning to Linux, with compatibility for most computers from the last decade.

    Show sources
    Open in new tab
  5. 14.10.2025 21:02 8 articles · 10d ago

    Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws

    The October 2025 Windows security updates cause smart card authentication and certificate issues across all Windows 10, Windows 11, and Windows Server releases. The issue is due to a security fix designed to address a security feature bypass vulnerability (CVE-2024-30098) in the Windows Cryptographic Services. Affected users may experience various symptoms, including the inability to sign documents, failures in applications using certificate-based authentication, and smart cards not being recognized as CSP providers in 32-bit apps. The issue can be detected by the presence of Event ID 624 in the System event logs for the Smart Card Service prior to installing the October 2025 Windows security update. The fix is enabled by setting the DisableCapiOverrideForRSA registry key value to 1 to isolate cryptographic operations from the Smart Card implementation. Users experiencing authentication problems can manually resolve the issue by disabling the DisableCapiOverrideForRSA registry key. The DisableCapiOverrideForRSA registry key will be removed in April 2026, and users are advised to work with their application vendors to resolve the underlying problem. Microsoft also fixed another known issue breaking IIS websites and HTTP/2 localhost (127.0.0.1) connections after installing recent Windows security updates. Microsoft has released out-of-band (OOB) security updates to address a critical-severity Windows Server Update Service (WSUS) vulnerability (CVE-2025-59287) with publicly available proof-of-concept exploit code. This vulnerability can be exploited remotely in low-complexity attacks, allowing threat actors to run malicious code with SYSTEM privileges. The update is available for all impacted Windows Server versions, and Microsoft advises immediate installation. Workarounds include disabling the WSUS Server Role or blocking specific ports on the host firewall. The OOB update supersedes all previous updates for affected versions.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Windows Authentication Failures Due to Duplicate Security Identifiers

Windows updates released since August 29, 2025, have introduced authentication failures on systems with duplicate Security Identifiers (SIDs). These updates enforce stricter SID checks, causing Kerberos and NTLM authentication to fail on affected devices. The issue impacts Windows 11 (24H2 and 25H2) and Windows Server 2025, leading to various login and access problems. Duplicate SIDs often result from improperly cloned or duplicated Windows installations. Microsoft recommends rebuilding affected systems using supported cloning methods or applying a temporary Group Policy fix obtained through Microsoft Support.

Open in new tab

Microsoft October 2025 Updates Disable USB Input in Windows Recovery Environment

Microsoft's October 2025 security updates (KB5066835) initially disabled USB mice and keyboards in the Windows Recovery Environment (WinRE), affecting both client (Windows 11 24H2 and 25H2) and server (Windows Server 2025) platforms. This issue made WinRE unusable for troubleshooting or repairing the OS, prompting users to switch to Bluetooth or PS/2 input devices as a workaround. Microsoft has since released an emergency update (KB5070773) to resolve the issue, which started rolling out on October 21, 2025. This update restores USB functionality in WinRE, allowing users to navigate recovery options. Affected customers can also use touchscreen, PS/2 devices, or USB recovery drives as workarounds. OEMs and enterprises can use PXE in Configuration Manager to install the update, while IT administrators can deploy push-button reset features using Windows ADK and WinPE add-on.

Open in new tab

Active Directory Sync Issues in Windows Server 2025

Microsoft has released a fix for Active Directory synchronization issues affecting Windows Server 2025 systems. The problem occurs after installing security updates released since September 2025. It impacts synchronization for large Active Directory security groups exceeding 10,000 members, particularly when using Microsoft Entra Connect Sync. The issue affects applications relying on the Active Directory directory synchronization (DirSync) control. Microsoft has provided a Known Issue Rollback (KIR) Group Policy for managed devices and a registry key workaround for non-managed devices and home users. A separate bug causing Windows update failures on Windows 11 24H2 and Windows Server 2025 devices is also being addressed. Guidance has been issued for smart card authentication issues across all supported Windows versions.

Open in new tab

Windows 11 updates disrupt localhost HTTP/2 connections

Microsoft's October Windows 11 updates (KB5066835) and September's KB5065789 preview update have caused issues with localhost (127.0.0.1) HTTP/2 connections. Users are experiencing errors such as 'ERR_CONNECTION_RESET' or 'ERR_HTTP2_PROTOCOL_ERROR' when attempting to connect to localhost. This affects various applications, including Visual Studio debugging, SSMS Entra ID authentication, and the Duo Desktop app. The issue also affects Windows Server 2025 systems and is linked to a bug in the HTTP.sys Windows-based web server for ASP.NET Core. Microsoft has provided a temporary fix via Known Issue Rollback (KIR) for non-managed business devices and most home users. IT administrators can resolve the issue on managed devices by installing and configuring a specific KIR group policy. A permanent fix will be included in a future Windows update.

Open in new tab

F5 BIG-IP Source Code and Vulnerability Information Stolen in Cyberattack

Over 266,000 F5 BIG-IP instances are exposed online, potentially vulnerable to remote attacks following a breach disclosed by F5. The company has released security updates to address 44 vulnerabilities, including those stolen in the breach. F5 has not found evidence that the stolen information has been used in actual attacks or disclosed publicly. The breach was attributed to a highly sophisticated nation-state threat actor, and F5 has taken extensive actions to contain the threat. F5's BIG-IP is a critical product used in application delivery networking and traffic management by many large enterprises. The company has 23,000 customers in 170 countries, including 48 of the Fortune 50 entities. The breach did not compromise F5's software supply chain or result in suspicious code modifications. The company has validated the safety of BIG-IP releases through multiple independent reviews by leading cybersecurity firms and has advised users to apply the latest updates for BIG-IP and related products. The breach involved a nation-state threat actor gaining persistent, long-term access to F5's product development environment and engineering knowledge management platforms. F5 disclosed the breach on October 15, 2025, confirming that the attack was detected in August 2025. The threat actor exfiltrated files containing BIG-IP source code and information regarding undisclosed vulnerabilities. F5 has not found evidence of access to or exfiltration of data tied to its CRM, financial, support case management, or iHealth systems, nor the NGINX source code or product development environment. F5 has identified no evidence of modification to its software supply chain, including source code, build pipeline, and release pipeline. F5 has worked with multiple incident response firms and law enforcement to mitigate the event and believes it has contained the threat. F5 has rotated credentials, strengthened access controls, deployed improved inventory and patch management automation, integrated better monitoring and detection tools, and implemented enhancements to network security infrastructure. F5 advises customers to apply the latest BIG-IP updates and has shared guidance for hardening customers' systems. On October 15, 2025, CISA directed federal civilian executive branch (FCEB) agencies to inventory F5 BIG-IP products and apply updates where necessary. The US government has urged federal agencies to take immediate action after F5 revealed it had been breached by a nation-state actor. The US Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive demanding that federal agencies evaluate if the networked management interfaces are accessible from the public internet and apply updates from F5. CISA warned that the threat actor's access to the F5 development environment could enable it to conduct static and dynamic analysis to discover logical flaws, zero-day vulnerabilities, and targeted exploits. The Justice Department ordered a delay in public disclosure of the breach on September 12, 2025. F5 has improved internal security including access controls, inventory and patch management, network security, and monitoring of all software development platforms. Tom Kelermann, VP of cyber risk at Hitrust, argued that the F5 breach is likely to be the first stage in a supply chain campaign. Ilia Kolochenko, CEO of ImmuniWeb, agreed that the stolen IP could be used to craft zero-day exploits for subsequent APT campaigns.

Open in new tab