Virtual Administrator’s October 2025 Patch Recommendations
All new patches will be approved in our patch policy.
This month Microsoft released patches for 172 vulnerabilities with 8 rated “Critical” in severity.
This month brings a record 172 security updates. It’s a record for this year and some claim it’s an all-time record for Microsoft. This is also the last month Windows 10 will get security patches – unless you enroll in the Extended Security Updates (ESU) program.
- Of the 8 “Critical” vulnerabilities, 5 are remote code execution vulnerabilities and 3 are elevation of privilege vulnerabilities.
- CVE-2025-24990 and CVE-2025-59230 are being actively exploited.
- CVE-2025-24990 affects a third-party modem driver called Agere Modem which has been bundled with Windows for years.
- CVE-2025-59230, an elevation of privilege vulnerability in Windows Remote Access Connection Manager (aka RasMan).
- Also of note CVE-2025-59287 is a critical remote code execution bug in the Windows Server Update Service (WSUS).
- These are patched with the Cumulative Update/Monthly Rollup.
- A few new SSUs for Windows Server 2012/2016 and Windows 10 versions 1507/1607.
There are 3 known issues reported by Microsoft so far – see “Known Issues” below.
Disclosed: CVE-2025-24052
Exploited: CVE-2025-24990, CVE-2025-59230
Security Update Guide
https://msrc.microsoft.com/update-guide/en-us
Microsoft Security Advisories
ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:10/14/2025)
https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001
Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.
NOTE: The Windows 10/11 Security Stack Updates are included in the monthly Cumulative Updates.
FYI: End of service statement
This version of Windows 10 has reached end of service. Devices running the following versions of Windows 10 will no longer receive monthly security and quality updates that contain protection from the latest security threats.
You can enroll your personal Windows 10 PC in the Extended Security Updates (ESU) program and receive critical monthly security updates after servicing ends.
Windows Server 2016 requires a paid Extended Security Update (ESU) after its official support ends on January 12, 2027
Windows Server 2019 requires Extended Security Updates (ESU) to receive security patches after January 9, 2029, its official extended support end date.
Heads Up! Word will now AutoSave to OneDrive
Word is changing forever—your new documents will now live in the cloud by default
Microsoft Word forcing you to save new files to the cloud? Here’s how to stop it
Known Issues
Microsoft confirmed a few issues with media players having trouble with protected content, IIS websites failing to load and large AD security groups failing to synchronize.
Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.
“Problems playing protected content in some BluRay/DVD/Digital TV apps”
Affected platforms: Windows 11, version 24H2, Windows 11, version 25H2
Symptom: Some Digital TV and Blu-ray/DVD apps might not play protected content as expected after installing the August 29, 2025, Windows non-security preview update (KB5064081), or later updates. Apps that use Enhanced Video Renderer with HDCP enforcement or Digital Rights Management (DRM) for digital audio might show copyright protection errors, frequent playback interruptions, unexpected stops, or black screens. Streaming services are not affected.
Workaround: This issue is partially resolved. Problems affecting certain applications that use Enhanced Video Renderer with HDCP enforcement have been addressed in the September 2025 Windows preview update (KB5065789) and later updates. We recommend installing the latest update for your device. It includes important improvements and fixes, including a resolution for this issue. However, some apps that use DRM for digital audio might still experience problems.
Status: We’re investigating a long-term solution for affected apps and will share more information when it’s available.
“IIS websites might fail to load”
https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-24h2
https://learn.microsoft.com/en-us/windows/release-health/status-windows-11-25h2
https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2025
Affected platforms: Windows 11, version 24H2/25H2/Server 2025
Symptom: Following installation of updates releases on or after September 29 (KB5065789/KB5066835), server-side applications that rely on HTTP.sys may experience issues with incoming connections. As a result, IIS websites might fail to load, displaying a message such as “Connection reset – error (ERR_CONNECTION_RESET)”, or similar error. This includes websites hosted on http://localhost/, and other IIS connections.
Mitigation: This issue is addressed using Known Issue Rollback (KIR) and is resolved automatically for most home users and non-managed business devices. Restarting your Windows device might help the resolution apply to your device faster.
Status: We are working on releasing a resolution for this issue in a future Windows update. We will provide an update when more information is available.
“Directory synchronization fails for AD security groups exceeding 10,000 members”
https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2025
Affected platforms: Windows Server 2025
Symptom: Applications that use the Active Directory directory synchronization (DirSync) control for on-premises Active Directory Domain Services (AD DS), such as when using Microsoft Entra Connect Sync, can result in incomplete synchronization of large AD security groups exceeding 10,000 members. This issue occurs only on Windows Server 2025 after installing the September 2025 Windows security update (KB5065426), or later updates.
Workaround: Affected customers can apply the following registry key to disable the feature change.
Status: We are investigating this issue and will provide a resolution in a future Windows update.
Good resource for known issues with Windows 10/11/Server patches. Find the version and click on “Known issues”.
Windows release health
https://docs.microsoft.com/en-us/windows/release-health/
Monthly Rollup/Security Only/Windows 10,11/Server 2016,2019,2022,2025 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB5066873 – Windows Server 2012 R2 (ESU)
- KB5066875 – Windows Server 2012 (ESU)
Cumulative Updates
Windows 10
- KB5066837 – Original release version 1507 (OS Build 10240)
- KB5066836 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB5066586 – Version 1809 “October 2018 Update” (OS Build 17763)
- KB5066791 – Version 21H2 “November 2021 Update” (OS Build 19044)
- KB5066791 – Version 22H2 “November 2022 Update” (OS Build 19045)
(Versions 1511,1703,1709,1803,1903,1909,2004,20H2,21H1 are no longer under support)
Windows 11
- KB5066793 – 22H2 (OS Build 22621)
- KB5066793 – 23H2 (OS Build 22631)
- KB5066835 – 24H2 (OS Build 26100)
- KB5066835 – 25H2 (OS Build 26200)
(Version 21H2 is no longer under support)
Windows Server
- KB5066836 – Server 2016 (same KB as Windows 10 Version 1607)
- KB5066586 – Server 2019 (same KB as Windows 10 Version 1809)
- KB5066782 – Server 2022 (OS Build 20348)
- KB5066780 – Server 23H2 (OS Build 25398)
- KB5066835 – Server 2025 (OS Build 26100)
October 2025 updates for Microsoft Office
Notable CVEs
CVE-2025-24990 | Windows Agere Modem Driver Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24990
Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems. This is an announcement of the upcoming removal of ltmdm64.sys driver. The driver has been removed in the October cumulative update. Microsoft recommends removing any existing dependencies on this hardware.
CVE-2025-49708 | Microsoft Graphics Component Elevation of Privilege Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-49708
Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges over a network.
CVE-2025-59230 | Windows Remote Access Connection Manager Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59230
Improper access control in Windows Remote Access Connection Manager allows an authorized attacker to elevate privileges locally. An attacker who successfully exploited this vulnerability could gain SYSTEM privileges.
CVE-2025-59227/CVE-2025-59234 | Microsoft Office Remote Code Execution Vulnerability (Click to Run,KB5002792)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59227
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59234
The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability. An attacker must send the user a malicious file and convince them to open it.
CVE-2025-59236 | Microsoft Excel Remote Code Execution Vulnerability (Click to Run,KB5002797)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59236
The word Remote in the title refers to the location of the attacker. This type of exploit is sometimes referred to as Arbitrary Code Execution (ACE). The attack itself is carried out locally. This means an attacker or victim needs to execute code from the local machine to exploit the vulnerability.
CVE-2025-59287 | Windows Server Update Service (WSUS) Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network. A remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism, resulting in remote code execution.
