On Tuesday, Microsoft announced the release of patches for 183 vulnerabilities across its products, simultaneously ending support for Windows 10 unless devices are opted into the Extended Security Updates (ESU) program.
Zero-Day Exploits Addressed
Among the vulnerabilities, three are zero-day exploits actively used against systems. Two involve Windows components: CVE-2025-24990 related to the Agere Modem Driver and CVE-2025-59230 in the Remote Access Connection Manager (RasMan). Both pose an elevation of privilege risk and carry a CVSS score of 7.8. Microsoft plans to remove the Agere driver altogether to mitigate risks.
The third issue, a Secure Boot bypass in IGEL OS versions below 11, can allow kernel-level rootkits if physical access is obtained, though this has a lower CVSS score of 4.6.
Critical Vulnerabilities Detailed
A wide array of vulnerabilities were classified by severity: 165 rated Important, 17 as Critical, and one as Moderate. The vulnerabilities largely consist of privilege escalation (84 cases), remote code execution (33), and lesser cases of other security flaws.
Significant issues include an RCE in Windows Server Update Service (CVSS 9.8), an out-of-bounds read in TPM2.0's CryptHmacSign helper (CVSS 5.3), and a URL parsing RCE (CVSS 8.8). Notably, a privilege escalation in Microsoft Graphics Component (CVE-2025-55315, CVSS 9.9) and an ASP.NET security bypass (CVE-2025-49708, CVSS 9.9) were highlighted for their potential to allow SYSTEM-level control.
Action Required for Vulnerability Management
Three of the zero-day vulnerabilities have been cataloged in the U.S. CISA's Known Exploited Vulnerabilities, prompting federal agencies to implement patches by November 4, 2025. Organizations are urged to promptly address these issues, prioritizing those with the highest severity scores. The company's statement underscores the importance of protecting systems against sophisticated threats.
