On October 15, 2025, Microsoft released security updates addressing 183 vulnerabilities across its product portfolio, including two zero-day elevation of privilege vulnerabilities actively exploited in the wild: CVE-2025-24990 and CVE-2025-59230. CVE-2025-24990 affects the Agere Modem Driver (ltmdm64.sys), a legacy third-party driver installed by default on all Windows versions up to Server 2025, regardless of hardware presence. This flaw allows a local attacker with minimal privileges to escalate to SYSTEM level, posing a significant risk due to its ubiquity and the planned removal of the driver rather than patching. CVE-2025-59230 targets the Windows Remote Access Connection Manager (RasMan) component, marking the first zero-day exploitation in this module, also enabling privilege escalation. Both vulnerabilities have a CVSS score of 7.8 and allow attackers to execute code with elevated privileges locally. Additionally, a Secure Boot bypass vulnerability (CVE-2025-47827) in IGEL OS prior to version 11 enables kernel-level rootkits but requires physical access, making it relevant primarily for high-value targets and mobile employees. Other notable critical vulnerabilities include a remote code execution in WSUS (CVE-2025-59287, CVSS 9.8), an out-of-bounds read in TPM 2.0 implementation (CVE-2025-2884), and a Windows URL parsing RCE (CVE-2025-59295, CVSS 8.8). A particularly severe flaw in the Microsoft Graphics Component (CVE-2025-49708, CVSS 9.9) allows VM escape, enabling attackers with low privilege in a guest VM to execute code on the host with SYSTEM privileges, threatening multi-tenant environments. Microsoft has ended mainstream support for Windows 10 except for ESU-enrolled systems, increasing risk for unpatched devices. The vulnerabilities have been added to the U.S. CISA Known Exploited Vulnerabilities catalog, mandating patching by November 4, 2025. The widespread presence of these vulnerabilities across Windows versions and components, combined with active exploitation, underscores the critical need for immediate remediation and enhanced security controls.

European organizations face substantial risks from these vulnerabilities due to the pervasive use of Windows operating systems in enterprise, government, and critical infrastructure sectors. The Agere Modem Driver vulnerability affects all Windows versions ever shipped, meaning virtually all Windows-based systems in Europe are potentially vulnerable to local privilege escalation attacks, which could be leveraged for lateral movement and full system compromise. The RasMan vulnerability similarly enables privilege escalation, increasing the risk of attackers gaining administrative control. The Secure Boot bypass in IGEL OS threatens organizations using this OS for virtual desktop infrastructure, particularly those with mobile or traveling employees, potentially leading to credential theft and persistent kernel-level malware. The VM escape vulnerability in the Microsoft Graphics Component poses a severe threat to cloud service providers and enterprises running virtualized environments, as it breaks isolation between guest VMs and the host, risking exposure of sensitive data and critical services. Remote code execution vulnerabilities in WSUS and Windows URL parsing could allow remote attackers to execute arbitrary code, potentially leading to widespread compromise if exploited in enterprise update infrastructure or user-facing applications. The end of Windows 10 support without ESU enrollment increases exposure for many organizations that may delay patching or lack resources for upgrades. Overall, these vulnerabilities threaten confidentiality, integrity, and availability of systems, potentially leading to data breaches, service disruptions, and significant operational impacts.

European organizations should prioritize immediate deployment of Microsoft’s October 2025 security updates, focusing on the two zero-day vulnerabilities (CVE-2025-24990 and CVE-2025-59230) and other critical flaws. For the Agere Modem Driver vulnerability, organizations should verify driver presence and expedite its removal as Microsoft plans, ensuring legacy components are eliminated from systems. Implement strict local access controls and monitor for unusual privilege escalation attempts, as both zero-days require local access. For the Secure Boot bypass in IGEL OS, restrict physical access to devices, especially for traveling employees, and update IGEL OS to version 11 or later. Harden virtualized environments by applying patches addressing the VM escape vulnerability and enforce strict VM isolation policies. Enhance endpoint detection and response (EDR) capabilities to detect exploitation attempts, focusing on privilege escalation and kernel-level anomalies. Review and secure WSUS infrastructure to prevent exploitation of remote code execution flaws. Given Windows 10 end-of-support, organizations should assess their upgrade or ESU enrollment status to maintain security updates. Conduct thorough vulnerability scanning and penetration testing to identify unpatched systems. Finally, implement robust logging and incident response plans to quickly detect and respond to exploitation attempts.