Microsoft integrates Sysmon natively into Windows 11 and Server 2025

Microsoft is testing an improved version of Quick Machine Recovery (QMR) in Windows 11, which now runs a single scan to fix booting problems instead of looping. This update is part of Microsoft's ongoing efforts to enhance system recovery capabilities. Additionally, Smart App Control (SAC) can now be toggled on and off without requiring a clean Windows install. QMR allows IT administrators to resolve Windows boot failures remotely, eliminating the need for physical access. The feature was introduced in November 2024 as part of Microsoft's Windows Resiliency Initiative, following a major outage caused by a CrowdStrike Falcon update in July 2024. These changes are currently being tested with Windows Insiders in the Dev and Beta channels.

A critical remote code execution (RCE) vulnerability (CVE-2025-59287) in Windows Server Update Service (WSUS) is being actively exploited in the wild. The flaw allows attackers to run malicious code with SYSTEM privileges on Windows servers with the WSUS Server role enabled. Microsoft has released out-of-band patches for all affected Windows Server versions. Cybersecurity firms have observed exploitation attempts and the presence of publicly available proof-of-concept exploit code. The vulnerability is considered potentially wormable between WSUS servers and poses a significant risk to organizations. The flaw concerns a case of deserialization of untrusted data in WSUS. The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH. CISA and NSA, along with international partners, have issued guidance to secure Microsoft Exchange Server instances, including recommendations to restrict administrative access, implement multi-factor authentication, and enforce strict transport security configurations. The agencies advise decommissioning end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365. Sophos reported threat actors exploiting the vulnerability to harvest sensitive data from U.S. organizations across various industries, with at least 50 victims identified. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update. Attackers use Base64-encoded PowerShell commands to exfiltrate data to a webhook[.]site endpoint. Michael Haag of Splunk noted an alternate attack chain involving the Microsoft Management Console binary (mmc.exe) to trigger cmd.exe execution.

Microsoft's October 2025 Patch Tuesday marks the end of free security updates for Windows 10, with the release of the final cumulative update KB5066791. This update addresses 183 vulnerabilities, including six zero-day flaws, and is mandatory for all Windows 10 users. Extended Security Updates (ESU) are available for purchase for up to three years for enterprise users and one year for consumers. The patches cover a range of vulnerabilities, including critical remote code execution and elevation of privilege issues. The zero-day vulnerabilities affect various components, such as Windows SMB Server, Microsoft SQL Server, Windows Agere Modem Driver, Windows Remote Access Connection Manager, AMD EPYC processors, and TCG TPM 2.0. Some of these flaws have been publicly disclosed or actively exploited. The update also includes fixes for vulnerabilities in third-party components, such as IGEL OS and AMD EPYC processors. Additionally, Microsoft Office users should be aware of CVE-2025-59227 and CVE-2025-59234, which exploit the Preview Pane. The update is the largest on record for Microsoft, with 183 CVEs, pushing the number of unique vulnerabilities released so far this year to more than 1,021. The update includes fixes for a wide range of vulnerabilities, including remote code execution (RCE), elevation of privilege, data theft, denial of service (DoS), and security feature bypass issues. The update also marks the end of life for Windows 10, meaning Microsoft will no longer issue regular patches for vulnerabilities in the operating system as part of its regular Patch Tuesday updates. Exchange Server 2016, Exchange Server 2019, Skype for Business 2016, Windows 11 IoT Enterprise Version 22H2, and Outlook 2016 are also reaching end-of-life. Windows 10 users can opt for Extended Security Updates (ESU) for one year at a cost of $30, or install Linux as an alternative. Linux Mint is recommended for Windows 10 users transitioning to Linux, with compatibility for most computers from the last decade. The October 2025 Windows security updates cause smart card authentication and certificate issues across all Windows 10, Windows 11, and Windows Server releases. The issue is due to a security fix designed to address a security feature bypass vulnerability (CVE-2024-30098) in the Windows Cryptographic Services. Affected users may experience various symptoms, including the inability to sign documents, failures in applications using certificate-based authentication, and smart cards not being recognized as CSP providers in 32-bit apps. The issue can be detected by the presence of Event ID 624 in the System event logs for the Smart Card Service prior to installing the October 2025 Windows security update. The fix is enabled by setting the DisableCapiOverrideForRSA registry key value to 1 to isolate cryptographic operations from the Smart Card implementation. Users experiencing authentication problems can manually resolve the issue by disabling the DisableCapiOverrideForRSA registry key. The DisableCapiOverrideForRSA registry key will be removed in April 2026, and users are advised to work with their application vendors to resolve the underlying problem. Microsoft also fixed another known issue breaking IIS websites and HTTP/2 localhost (127.0.0.1) connections after installing recent Windows security updates. Microsoft has released out-of-band (OOB) security updates for a critical-severity Windows Server Update Service (WSUS) vulnerability (CVE-2025-59287) with publicly available proof-of-concept exploit code. The vulnerability can be exploited remotely in low-complexity attacks that do not require user interaction, allowing threat actors without privileges to target vulnerable systems and run malicious code with SYSTEM privileges. Microsoft has released security updates for all impacted Windows Server versions, including Windows Server 2025, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012. Workarounds for admins who can't immediately install these emergency patches include disabling the WSUS Server Role or blocking all inbound traffic to Ports 8530 and 8531 on the host firewall. The OOB update supersedes all previous updates for affected versions, and users are advised to install it as soon as possible.

Microsoft has expanded its Sentinel Security Information and Event Management (SIEM) solution into a unified agentic platform with the general availability of the Sentinel data lake. This enhancement includes the public preview of Sentinel Graph and the Sentinel Model Context Protocol (MCP) server, which aim to provide better visibility, advanced analytics, and AI-driven security capabilities. The Sentinel data lake ingests and manages security data from diverse sources, enabling AI models to detect subtle patterns and correlate signals. This shift allows security teams to uncover attacker behavior, hunt over historical data, and trigger automatic detections. The new graph tools and MCP server facilitate integration of third-party and internally developed agents, enhancing the platform's capabilities. Additionally, Microsoft has emphasized the importance of securing AI platforms and implementing guardrails to protect against prompt injection attacks, with planned enhancements to Azure AI Foundry. The company has also launched the Microsoft Security Store, expanding integration with partners like Accenture, Darktrace, IBM, Illumio, ServiceNow, Simbian, and Zscaler.

The Cybersecurity and Infrastructure Security Agency (CISA) and Sandia National Laboratories have released Thorium, a scalable malware and forensic analysis platform. Thorium integrates various analysis tools and automates workflows to quickly assess malware threats and index forensic analysis results. The platform aims to address the growing complexity and volume of malware threats faced by cyber defenders across government, public, and private sectors. Thorium allows users to integrate preferred tools into a single platform, analyze large amounts of malware quickly, and adapt to evolving threats. The platform is designed to ingest over 10 million files per hour per permission group and schedule over 1,700 jobs per second, while maintaining fast results queries. The release underscores CISA's commitment to providing scalable cybersecurity resources to help organizations defend against cyber threats.