By Tyler Reguly, Associate Director, Security R&D, Fortra
Today is a record setting day, one that should likely concern everyone in a few different ways. Today, Microsoft addressed, via direct and third-party CVE assignments, 196 CVEs. Since Microsoft moved away from security bulletins and toward security guidance in 2017, the record CVEs in a single month was 161 in January of this year. Today, however, Microsoft beat that record with a more than 20% increase.
Why should everyone be concerned? First, that is a lot of vulnerabilities to address and there’s definitely a few oddball issues this month that we don’t normally see. Today, for example, I learned about a new OS called IGEL OS. According to CVE-2025-47827, this vulnerability allows for a Secure Boot bypass. Similarly, there’s a vulnerability in the Trusted Computing Groups TPM2.0 reference implementation defined by CVE-2025-2884, which could lead to information disclosure. Not only are these issues we don’t normally see in a Patch Tuesday drop, but they are also issues that were disclosed months ago. The IGEL OS issue was disclosed in May, while the TPM2.0 issue was disclosed in June. Yet, Microsoft is just getting out patches for these issues now. If you’re a CISO, you might want your teams to ask your Microsoft TAMS why it took so long to get out updates.
One of the updates that I find more interesting this month is the fix for a set of privilege escalation vulnerabilities in the Agere Modem Driver that ships with Windows. These attacks, one of which has already seen active exploitation, can work even if the modem is not being used and will elevate the attacker’s access to administrator privileges. The fix, however, caught my attention because Microsoft is simply removing the driver, ltmdm64.sys, from the system. This driver removal addresses both CVE-2025-24990 and CVE-2025-24052.
CISOs this month may want to ask their teams if they are using Azure’s Confidential Computing (ACC) AMD-based clusters, due to the AMD processor vulnerability assigned CVE-2025-0033. Updates for this are currently in development, so there is no resolution process available right now. Instead, customers need to monitor their Azure Service Health Alerts to watch for notifications letting them know that they need to remove their ACC resources. If your teams are using ACC, you’ll want to check in regularly to ensure that they are paying attention for that reboot notification, so that you will ultimately know when this publicly disclosed vulnerability is resolved.
CISOs may also want to question their Microsoft contacts on the three Copilot vulnerabilities that were resolved this month. This is a time when an executive summary would be very useful, but unfortunately Microsoft did not include one for any of these three issues. Instead, all we know is that there were three spoofing issues, two within M365 Copilot Business Chat (CVE-2025-59286 and CVE-2025-59272) and one within M365 Word Copilot (CVE-2025-59252). I would want to ask three questions:
- What was the issue?
- What were the risks associated by the issue?
- Are there any ways that I can tell if my organization was impacted by the issue?
Unfortunately, Microsoft does not address this and simply lets us know that they have fully mitigated the issue and that there is no action that we need to take. With all the implementations of AI within organizations, I would think that CISOs would like a little more than, “There was a risk, we fixed it,” if they want to sleep better at night.
Related
This entry was posted on October 14, 2025 at 4:23 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
October Patch Tuesday Commentary From Fortra
By Tyler Reguly, Associate Director, Security R&D, Fortra
Today is a record setting day, one that should likely concern everyone in a few different ways. Today, Microsoft addressed, via direct and third-party CVE assignments, 196 CVEs. Since Microsoft moved away from security bulletins and toward security guidance in 2017, the record CVEs in a single month was 161 in January of this year. Today, however, Microsoft beat that record with a more than 20% increase.
Why should everyone be concerned? First, that is a lot of vulnerabilities to address and there’s definitely a few oddball issues this month that we don’t normally see. Today, for example, I learned about a new OS called IGEL OS. According to CVE-2025-47827, this vulnerability allows for a Secure Boot bypass. Similarly, there’s a vulnerability in the Trusted Computing Groups TPM2.0 reference implementation defined by CVE-2025-2884, which could lead to information disclosure. Not only are these issues we don’t normally see in a Patch Tuesday drop, but they are also issues that were disclosed months ago. The IGEL OS issue was disclosed in May, while the TPM2.0 issue was disclosed in June. Yet, Microsoft is just getting out patches for these issues now. If you’re a CISO, you might want your teams to ask your Microsoft TAMS why it took so long to get out updates.
One of the updates that I find more interesting this month is the fix for a set of privilege escalation vulnerabilities in the Agere Modem Driver that ships with Windows. These attacks, one of which has already seen active exploitation, can work even if the modem is not being used and will elevate the attacker’s access to administrator privileges. The fix, however, caught my attention because Microsoft is simply removing the driver, ltmdm64.sys, from the system. This driver removal addresses both CVE-2025-24990 and CVE-2025-24052.
CISOs this month may want to ask their teams if they are using Azure’s Confidential Computing (ACC) AMD-based clusters, due to the AMD processor vulnerability assigned CVE-2025-0033. Updates for this are currently in development, so there is no resolution process available right now. Instead, customers need to monitor their Azure Service Health Alerts to watch for notifications letting them know that they need to remove their ACC resources. If your teams are using ACC, you’ll want to check in regularly to ensure that they are paying attention for that reboot notification, so that you will ultimately know when this publicly disclosed vulnerability is resolved.
CISOs may also want to question their Microsoft contacts on the three Copilot vulnerabilities that were resolved this month. This is a time when an executive summary would be very useful, but unfortunately Microsoft did not include one for any of these three issues. Instead, all we know is that there were three spoofing issues, two within M365 Copilot Business Chat (CVE-2025-59286 and CVE-2025-59272) and one within M365 Word Copilot (CVE-2025-59252). I would want to ask three questions:
Unfortunately, Microsoft does not address this and simply lets us know that they have fully mitigated the issue and that there is no action that we need to take. With all the implementations of AI within organizations, I would think that CISOs would like a little more than, “There was a risk, we fixed it,” if they want to sleep better at night.
Share this:
Like this:
Related
This entry was posted on October 14, 2025 at 4:23 pm and is filed under Commentary with tags Fortra. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.