Cybersecurity News Kinetic Potential

Two New Windows Zero-Days Exploited in the Wild — One Affects Every Version Ever Shipped

Thu, 10/16/2025 - 09:37 / 0 Comments

Microsoft on Tuesday released fixes for a whopping 183 security flaws spanning its products, including three vulnerabilities that have come under active exploitation in the wild, as the tech giant officially ended support for its Windows 10 operating system unless the PCs are enrolled in the Extended Security Updates (ESU) program.

Of the 183 vulnerabilities, eight of them are non-Microsoft issued CVEs. As many as 165 flaws have been rated as Important in severity, followed by 17 as Critical and one as Moderate. The vast majority of them relate to elevation of privilege vulnerabilities (84), with remote code execution (33), information disclosure (28), spoofing (14), denial-of-service (11), and security feature bypass (11) issues accounting for the rest.

The updates are in addition to the 25 vulnerabilities Microsoft addressed in its Chromium-based Edge browser since the release of September 2025's Patch Tuesday update.

The two Windows zero-days that have come under active exploitation are as follows -

CVE-2025-24990 (CVSS score: 7.8) - Windows Agere Modem Driver ("ltmdm64.sys") Elevation of Privilege Vulnerability

CVE-2025-59230 (CVSS score: 7.8) - Windows Remote Access Connection Manager (RasMan) Elevation of Privilege Vulnerability

Microsoft said both issues could allow attackers to execute code with elevated privileges, although there are currently no indications on how they are being exploited and how widespread these efforts may be. In the case of CVE-2025-24990, the company said it's planning to remove the driver entirely, rather than issue a patch for a legacy third-party component.

The security defect has been described as "dangerous" by Alex Vovk, CEO and co-founder of Action1, as it's rooted within legacy code installed by default on all Windows systems, irrespective of whether the associated hardware is present or in use.

"The vulnerable driver ships with every version of Windows, up to and including Server 2025," Adam Barnett, lead software engineer at Rapid7, said. "Maybe your fax modem uses a different chipset, and so you don't need the Agere driver? Perhaps you've simply discovered email? Tough luck. Your PC is still vulnerable, and a local attacker with a minimally privileged account can elevate to administrator."

According to Satnam Narang, senior staff research engineer at Tenable, CVE-2025-59230 is the first vulnerability in RasMan to be exploited as a zero-day. Microsoft has patched more than 20 flaws in the component since January 2022.

The third vulnerability that has been exploited in real-world attacks concerns a case of Secure Boot bypass in IGEL OS before 11 (CVE-2025-47827, CVSS score: 4.6). Details about the flaw were first publicly disclosed by security researcher Zack Didcott in June 2025.

"The impacts of a Secure Boot bypass can be significant, as threat actors can deploy a kernel-level rootkit, gaining access to the IGEL OS itself and, by extension, then tamper with the Virtual Desktops, including capturing credentials," Kev Breen, senior director of threat research at Immersive, said.

"It should be noted that this is not a remote attack, and physical access is typically required to exploit this type of vulnerability, meaning that 'evil-maid' style attacks are the most likely vector affecting employees who travel frequently."

All three issues have since been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patches by November 4, 2025.

Some other critical vulnerabilities of note include a remote code execution (RCE) bug (CVE-2025-59287, CVSS score: 9.8) in Windows Server Update Service (WSUS), an out-of-bounds read vulnerability in the Trusted Computing Group (TCG) TPM2.0 reference implementation's CryptHmacSign helper function (CVE-2025-2884, CVSS score: 5.3), and an RCE in Windows URL Parsing (CVE-2025-59295, 8.8).

"An attacker can leverage this by carefully constructing a malicious URL," Ben McCarthy, lead cybersecurity engineer at Immersive, said about CVE-2025-59295. "The overflowed data can be designed to overwrite critical program data, such as a function pointer or an object's virtual function table (vtable) pointer."

"When the application later attempts to use this corrupted pointer, instead of calling a legitimate function, it redirects the program's execution flow to a memory address controlled by the attacker. This allows the attacker to execute arbitrary code (shellcode) on the target system."

Two vulnerabilities with the highest CVSS score in this month's update relate to a privilege escalation flaw in Microsoft Graphics Component (CVE-2025-49708, CVSS score: 9.9) and a security feature bypass in ASP.NET (CVE-2025-55315, CVSS score: 9.9).

While exploiting CVE-2025-55315 requires an attacker to be first authenticated, it can be abused to covertly get around security controls and carry out malicious actions by smuggling a second, malicious HTTP request within the body of their initial authenticated request.

"An organization must prioritize patching this vulnerability because it invalidates the core security promise of virtualization," McCarthy explained regarding CVE-2025-49708, characterizing it as a high-impact flaw that leads to a full virtual machine (VM) escape.

"A successful exploit means an attacker who gains even low-privilege access to a single, non-critical guest VM can break out and execute code with SYSTEM privileges directly on the underlying host server. This failure of isolation means the attacker can then access, manipulate, or destroy data on every other VM running on that same host, including mission-critical domain controllers, databases, or production applications."

Software Patches from Other Vendors

In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including —

Adobe

Amazon Web Services

AMD

AMI

Apple

ASUS

Axis Communications

Broadcom (including VMware)

Canon

Check Point

Cisco

D-Link

Dell

Drupal

Elastic

F5

Fortinet

Foxit Software

FUJIFILM

Gigabyte

GitLab

Google Chrome

Google Cloud

Google Pixel Watch

Grafana

Hitachi Energy

HMS Networks (including Red Lion)

Honeywell

HP

HP Enterprise (including Aruba Networking and Juniper Networks)

IBM

Ivanti

Jenkins

Lenovo

Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu

MediaTek

Mitsubishi Electric

MongoDB

Moodle

Moxa

Mozilla Firefox, Firefox ESR, and Thunderbird

NVIDIA

Oracle

Palo Alto Networks

Progress Software

QNAP

Qualcomm

Ricoh

Rockwell Automation

Salesforce

Samsung

SAP

Schneider Electric

ServiceNow

Siemens

SolarWinds

SonicWall

Splunk

Spring Framework

Supermicro

Synology

TP-Link

Unity

Veeam, and

Zoom

This article was published by The Hacker News. Please check their website for the originalcontent.

Add new comment

About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
10 + 9 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.

Share The Story


Stay informed - subscribe to our newsletter.
The subscriber's email address.

Recent Posts