Microsoft Patch Tuesday for October 2025 — Snort rules and prominent vulnerabilities

Microsoft Patch Tuesday for October 2025 — Snort rules and prominent vulnerabilities

/in

Microsoft Patch Tuesday for October 2025 — Snort rules and prominent vulnerabilities

Microsoft has released its monthly security update for October 2025, addressing 175 Microsoft CVEs and 21 non-Microsoft CVEs. Among these, 17 vulnerabilities are considered critical and 11 are flagged as important and considered more likely to be exploited. Current intelligence shows that three of the important vulnerabilities have already been detected in the wild.

In the following notes we provide a concise overview of the most significant issues, focusing on the vulnerabilities that could impact the widest user base or carry the highest severity.

Exploited in the Wild

Three vulnerabilities were confirmed to have been exploited in the wild.

CVE‑2025‑24990: Windows Agere Modem Driver Elevation of Privilege Vulnerability
Microsoft identified a flaw in the third‑party Agere Modem driver that ships with supported Windows operating systems. The driver was permanently removed in the October cumulative update. Users who rely on fax modem hardware that depends on this driver should uninstall any remaining components, as the affected driver is no longer supported.

CVE‑2025‑59230: Windows Remote Access Connection Manager Elevation of Privilege Vulnerability
An improper access‑control check in Windows Remote Access Connection Manager allows an authorized attacker to gain elevated local privileges when accessing the service.

CVE‑2025‑47827: Secure Boot Bypass in IGEL OS before 11
This vulnerability permits a crafted root file-system to bypass Secure Boot on IGEL OS versions before 11 due to incorrect cryptographic signature verification performed by the igel-flash-driver module.

Critical Vulnerabilities

Microsoft marked 17 vulnerabilities as critical in this release. While these have not been observed exploited in the wild, their severity warrants prompt remediation.

CVE‑2025‑59287 Windows Server Update Service (WSUS) Remote Code Execution Vulnerability – Deserialization of untrusted data in WSUS allows an attacker to remotely execute code, potentially compromising the update service on vulnerable servers.

CVE‑2025‑59246, CVE‑2025‑59218  Azure Entra ID Elevation of Privilege Vulnerabilities – An attacker could exploit Azure Entra ID to elevate privileges, affecting the identity platform’s access control.

CVE‑2025‑0033 RMP Corruption During SNP Initialization – A race condition during Reverse Map Table initialization in AMD EPYC SEV‑SNP processors can allow a hypervisor with privileged control to modify RMP entries before they are locked. Azure Confidential Computing products contain multiple safeguards to prevent host compromise.

CVE‑2025‑59234 Microsoft Office Remote Code Execution Vulnerability – A use‑after‑free bug in Microsoft Office enables an attacker to execute code locally on an affected system, contingent on the presence of vulnerable content.

CVE‑2025‑49708 Microsoft Graphics Component Elevation of Privilege Vulnerability – An unauthenticated network attacker can manipulate the Graphics component through use‑after‑free logic to elevate privileges on a target machine.

CVE‑2025‑59291 Confidential Azure Container Instances Elevation of Privilege Vulnerability – External control of file names or paths in Confidential Azure Container Instances allows a privileged attacker to elevate privileges locally within the container environment.

CVE‑2025‑59292 Azure Compute Gallery Elevation of Privilege Vulnerability – Misuse of file names or paths can enable a privileged attacker to gain elevated rights in an Azure Compute Gallery context.

CVE‑2025‑59227 Microsoft Office Remote Code Execution Vulnerability – Exploitation of this vulnerability would allow remote execution on Office applications across multiple Windows versions.

CVE‑2025‑59247 Azure PlayFab Elevation of Privilege Vulnerability – PlayFab services can be manipulated by an unauthorized actor to elevate privileges, impacting the underlying Azure infrastructure.

CVE‑2025‑59252, CVE‑2025‑59272, CVE‑2025‑59286 Copilot Spoofing Vulnerabilities – Improper sanitization and encoding of user‑supplied data in Microsoft 365 Copilot leads to spoofing attacks.

CVE‑2025‑59271 Redis Enterprise Elevation of Privilege Vulnerability – Redis Enterprise servers may allow privileged escalation through a configuration oversight, impacting managed Azure Redis services.

CVE‑2025‑55321 Azure Monitor Log Analytics Spoofing Vulnerability – Cross‑site scripting (XSS) in Azure Monitor allows a network attacker to perform spoofing attacks within the Log Analytics portal.

CVE‑2025‑59236 Microsoft Excel Remote Code Execution Vulnerability – An unauthorized attacker could trigger a use‑after‑free in Microsoft Excel, causing local code execution on the target system.

CVE‑2016‑9535 LibTIFF Heap Buffer Overflow – The libtiff library contains a heap‑buffer‑overflow that can be triggered by malformed TIFF files, potentially allowing an attacker to execute arbitrary code under the user context.

Talos would also like to highlight 11 important vulnerabilities were considered more likely to be exploited: CVE‑2025‑48004CVE‑2025‑24052, CVE‑2025‑55676CVE‑2025‑55681, CVE‑2025‑58722CVE‑2025‑59199CVE‑2025‑55680CVE‑2025‑55692CVE‑2025‑55693CVE‑2025‑55694 and CVE‑2025‑59194. They range from remote code execution to privilege escalation across both desktop and cloud environments.

Security teams are encouraged to examine the detailed advisory documents for each CVE to understand the exact scope and mitigations. A complete list of all the other vulnerabilities Microsoft disclosed this month is available on its update page. 

In response to these vulnerability disclosures, Talos is releasing a new Snort ruleset that detects attempts to exploit some of them. Please note that additional rules may be released at a future date, and current rules are subject to change pending additional information. Cisco Security Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Ruleset customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.

Snort 2 rules included in this release that protect against the exploitation of many of these vulnerabilities are:  65391 – 65410, 64420 – 65422.

The following Snort 3 rules are also available: 301325 – 301334.

Cisco Talos Blog – ​Read More