Windows 10 End of Support Is Here
There is evidence of active exploitation in the wild with functional exploit code available, and exploitation has been detected. The vulnerability affects all supported versions of Windows systems with the Agere Modem Driver and requires local access to exploit with low attack complexity, requiring low privileges but no user interaction. When successfully exploited, attackers can gain administrator privileges, potentially allowing them to completely compromise the affected Windows systems. Notably, this vulnerability can be exploited even if the modem is not actively being used, and Microsoft has removed the ltmdm64.sys driver in the October cumulative update, which will cause fax modem hardware dependent on this driver to no longer work on Windows.
Publicly Disclosed Vulnerability in Windows Agere Modem Driver
CVE-2016-9535 is a Critical remote code execution vulnerability affecting LibTIFF and has a CVSS score of 4.0. This vulnerability allows unauthenticated local attackers to cause denial of service or potentially execute arbitrary code by exploiting a heap buffer overflow weakness in LibTIFF’s tif_predict.h and tif_predict.c components when processing unusual tile sizes like YCbCr with subsampling.
When successfully exploited, attackers can achieve high confidentiality impact through information disclosure and low availability impact on affected systems, but cannot compromise system integrity. The documented Windows updates incorporate updates in the TCG TPM2.0 reference implementation that address this vulnerability.
The vulnerability has not been publicly disclosed, and there is no evidence of active exploitation in the wild, though exploitation is considered unlikely. The vulnerability affects systems using LibTIFF 4.0.6 and requires local access to exploit with low attack complexity, requiring no privileges or user interaction. When successfully exploited, attackers can cause assertion failures in debug mode or buffer overflows in release mode, potentially leading to low availability impact on affected systems. This vulnerability is also known as “Predictor heap-buffer-overflow” and was reported as MSVR 35105, with Windows updates incorporating LibTIFF updates that address this dependency on the vulnerable third-party component.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-24052 | Windows Agere Modem Driver Elevation of Privilege Vulnerability |
Publicly Disclosed Vulnerability in TCG TPM2.0 Reference Implementation
The CrowdStrike Falcon platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.
As announced previously, Windows 10 officially reaches end of life on October 14, 2025. According to Microsoft, in order to qualify for Extended Security Updates for Windows 10, the affected host must be upgraded to the 22H2 release. This means regular Windows 10 hosts will no longer receive regular security updates after this date. As of October 14, 2025, non 22H2 Windows 10 hosts will be identified in the CrowdStrike Falcon® Exposure Management Vulnerability Management pane with an unsupported software vulnerability. More information can be found via the following link: https://www.microsoft.com/en-us/windows/extended-security-updates
CVE-2025-2884 is an Important information disclosure vulnerability affecting TCG TPM2.0 reference implementation and has a CVSS score of 5.3. This vulnerability allows authenticated local attackers with low privileges to disclose sensitive information by exploiting an out-of-bounds read weakness in the CryptHmacSign helper function due to lack of validation of the signature scheme with the signature key’s algorithm.
| Severity | CVSS Score | CVE | Description |
| Important | 5.3 | CVE-2025-2884 | Out-of-Bounds Read Vulnerability in TCG TPM2.0 Reference Implementation |
Zero-Day Vulnerability in Windows Remote Access Connection Manager
Due to the changed scope nature of these vulnerabilities, a successful attack allows the container host to execute code in the targeted guest environment, expanding the impact beyond the initially compromised component. The vulnerabilities have not been publicly disclosed, and there is no evidence of active exploitation in the wild, though exploitation is considered less likely.
When successfully exploited, attackers can gain administrator privileges, potentially allowing them to completely compromise the confidentiality, integrity, and availability of affected Windows systems. Notably, this vulnerability can be exploited even if the modem is not actively being used. Microsoft has removed the ltmdm64.sys driver in the October cumulative update, which will cause fax modem hardware dependent on this driver to no longer work on Windows.
CVE-2025-59291 is a Critical elevation of privilege vulnerability affecting Confidential Azure Container Instances and has a CVSS score of 8.2. This vulnerability allows authenticated local attackers with high privileges to elevate their privileges by exploiting external control of file name or path weakness in Confidential Azure Container Instances through local access to the system.
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-59230 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability |
Zero-Day Vulnerability in Windows Agere Modem Driver
The vulnerability had been publicly disclosed. There is no evidence of active exploitation in the wild, though exploitation is considered more likely with proof-of-concept code available. This vulnerability affects all supported versions of Windows systems with the Agere Modem driver and requires local access to exploit with low attack complexity, requiring low privileges but no user interaction.
The vulnerabilities have not been publicly disclosed, and there is no evidence of active exploitation in the wild. Exploitation requires local access with low attack complexity. No privileges are needed, but user interaction is required. Successful exploitation enables arbitrary code execution when a user opens a malicious file. The Preview Pane has been a common attack vector in similar vulnerabilities (April 2023, July 2023, December 2023, October 2024, January 2025, February 2025, April 2025, June 2025, September 2025).
| Severity | CVSS Score | CVE | Description |
| Important | 7.8 | CVE-2025-24990 | Windows Agere Modem Driver Elevation of Privilege Vulnerability |
Zero-Day Vulnerability in Secure Boot in IGEL OS before Version 11
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.
CVE-2025-59227 is a Critical remote code execution vulnerability affecting Microsoft Office and has a CVSS score of 7.8. This vulnerability allows unauthenticated local attackers to execute arbitrary code by exploiting a use after free weakness through local access to the system with required user interaction.
| Severity | CVSS Score | CVE | Description |
| Important | 4.6 | CVE-2025-47827 | Secure Boot Bypass in IGEL OS Before Version 11 |
Critical Vulnerability in Microsoft Graphics Component
CVE-2025-59234 is a Critical remote code execution vulnerability affecting Microsoft Office and has a CVSS score of 7.8. This vulnerability allows unauthenticated local attackers to execute arbitrary code by exploiting a use after free weakness in Microsoft Office through local access to the system with required user interaction.
Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.
There is evidence of active exploitation in the wild with functional exploit code available. The vulnerability requires physical access to exploit with low attack complexity, requiring no privileges or user interaction. When successfully exploited, attackers can bypass Secure Boot security features, potentially causing high availability, integrity, and confidentiality impact on affected systems.
| Severity | CVSS Score | CVE | Description |
| Critical | 9.9 | CVE-2025-49708 | Microsoft Graphics Component Elevation of Privilege Vulnerability |
Critical Vulnerability in Windows Server Update Service
The vulnerability affects Windows systems with Remote Access Connection Manager and requires local access to exploit with low attack complexity, requiring low privileges but no user interaction. When successfully exploited, attackers can gain SYSTEM privileges, potentially allowing them to completely compromise the confidentiality, integrity, and availability of affected Windows systems.
CVE-2025-59292 is a Critical elevation of privilege vulnerability affecting Azure Compute Gallery and has a CVSS score of 8.2. This vulnerability allows authenticated local attackers with high privileges to elevate their privileges by exploiting external control of file name or path weakness in Azure Compute Gallery through local access to the system.
CVE-2025-24990 is an Important elevation of privilege vulnerability affecting Windows Agere Modem Driver and has a CVSS score of 7.8. This vulnerability allows authenticated local attackers with low privileges to elevate their privileges to administrator level by exploiting an untrusted pointer dereference weakness in the third-party Agere Modem driver (ltmdm64.sys) that ships natively with supported Windows operating systems.
| Severity | CVSS Score | CVE | Description |
| Critical | 9.8 | CVE-2025-59287 | Windows Server Update Service (WSUS) Remote Code Execution Vulnerability |
Critical Vulnerabilities in Microsoft Office
The vulnerability had been publicly disclosed. There is no evidence of active exploitation in the wild, though exploitation is considered less likely. The vulnerability affects systems using the TCG TPM2.0 reference implementation and requires local access to exploit with high attack complexity, requiring low privileges but no user interaction.
When successfully exploited, attackers can achieve remote code execution by sending a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism, potentially allowing them to completely compromise the confidentiality, integrity, and availability of affected WSUS systems.
The vulnerability has not been publicly disclosed, and there is no evidence of active exploitation in the wild, though exploitation is considered less likely. The vulnerability affects Windows systems utilizing Microsoft Graphics Component and can be exploited remotely from the internet with low attack complexity, requiring no user interaction.
CVE-2025-59236 is a Critical remote code execution vulnerability affecting Microsoft Excel and has a CVSS score of 8.4. This vulnerability allows unauthenticated local attackers to execute arbitrary code by exploiting a use after free weakness in Microsoft Office Excel through local access to the system. When successfully exploited, attackers can achieve arbitrary code execution locally on the affected system.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.4 | CVE-2025-59236 | Microsoft Excel Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2025-59234 | Microsoft Office Remote Code Execution Vulnerability |
| Critical | 7.8 | CVE-2025-59227 | Microsoft Office Remote Code Execution Vulnerability |
Critical Vulnerabilities in Microsoft Azure
CVE-2025-47827 is an Important security feature bypass vulnerability affecting versions of IGEL OS before version 11 and has a CVSS score of 4.6. This vulnerability allows unauthenticated physical attackers to bypass Secure Boot by exploiting the use of a key past its expiration date weakness in the igel-flash-driver module, which improperly verifies cryptographic signatures and allows mounting of a crafted root filesystem from an unverified SquashFS image.
CVE-2025-49708 is a Critical elevation of privilege vulnerability affecting Microsoft Graphics Component and has a CVSS score of 9.9. This vulnerability allows authenticated remote attackers with low privileges to elevate their privileges to SYSTEM level by exploiting a use after free weakness in Microsoft Graphics Component over a network connection.
CVE-2025-49708 is a Critical elevation of privilege vulnerability affecting Microsoft Graphics Component and has a CVSS score of 9.9. This vulnerability allows authenticated remote attackers with low privileges to elevate their privileges to SYSTEM level by exploiting a use after free weakness in Microsoft Graphics Component over a network connection.
When successfully exploited, attackers can gain SYSTEM privileges by accessing a local guest virtual machine (VM) to attack the host OS, potentially allowing them to completely compromise the confidentiality, integrity, and availability of affected Windows systems and impact other VMs running on the same host due to the changed scope nature of this vulnerability.
| Severity | CVSS Score | CVE | Description |
| Critical | 8.2 | CVE-2025-59291 | Confidential Azure Container Instances Elevation of Privilege Vulnerability |
| Critical | 8.2 | CVE-2025-59292 | Azure Compute Gallery Elevation of Privilege Vulnerability |
Critical Vulnerability in LibTIFF
CVE-2025-59230 is an Important elevation of privilege vulnerability affecting Windows Remote Access Connection Manager and has a CVSS score of 7.8. This vulnerability allows authenticated local attackers with low privileges to elevate their privileges to SYSTEM level by exploiting an improper access control weakness in Windows Remote Access Connection Manager and gaining local access to the system.
As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.
| Severity | CVSS Score | CVE | Description |
| Critical | 4.0 | CVE-2016-9535 | LibTIFF Remote Code Execution Vulnerability |
Patch Tuesday Dashboard in the Falcon Platform
CVE-2025-24052 is an Important elevation of privilege vulnerability affecting Windows Agere Modem Driver and has a CVSS score of 7.8. This vulnerability allows authenticated local attackers with low privileges to elevate privileges to administrator level by exploiting a stack-based buffer overflow weakness in the third-party Agere Modem driver (ltmdm64.sys), which ships natively with supported Windows operating systems.
Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies
CVE-2025-59287 is a Critical remote code execution vulnerability affecting Windows Server Update Service (WSUS) and has a CVSS score of 9.8. This vulnerability allows unauthenticated remote attackers to execute arbitrary code by exploiting unsafe deserialization of untrusted data in WSUS over a network connection.
The vulnerability requires local access to exploit with low attack complexity, requiring high privileges but no user interaction. When successfully exploited, attackers can gain code execution within the confidential ACI sidecar container by tricking the system into mounting a malicious file share to a sensitive location, escalating from host control to confidential containers and potentially allowing them to completely compromise the affected systems.
For a visual overview of the systems impacted by this month’s vulnerabilities, you can use our Patch Tuesday dashboard. This can be found in the CrowdStrike Falcon® platform within the Exposure Management > Vulnerability Management > Dashboards page. The preset dashboards show the most recent three months of Patch Tuesday vulnerabilities.
About CVSS Scores
The vulnerability requires local access to exploit with low attack complexity, requiring high privileges but no user interaction. When successfully exploited, attackers can gain code execution within the confidential ACI sidecar container by tricking the system into mounting a malicious file share to a sensitive location, escalating from host control to confidential containers and potentially allowing them to completely compromise the affected systems.
