Two New Windows Zero-Days Exploited in the Wild — One Affects Every Version Ever Shipped

Steven

Two New Windows Zero-Days Exploited in the Wild — One Affects Every Version Ever Shipped

Summary

Microsoft released security updates covering 183 vulnerabilities across its products. Three flaws are confirmed as being exploited in the wild: two Windows zero-days (CVE-2025-24990 and CVE-2025-59230) and a Secure Boot bypass in IGEL OS (CVE-2025-47827). The bulk of the issues are elevation-of-privilege bugs, alongside remote code execution and information-disclosure flaws.

CVE-2025-24990 is an elevation-of-privilege vulnerability in the Agere modem driver (ltmdm64.sys) that ships with every Windows release; Microsoft intends to remove the legacy driver rather than issue a conventional patch. CVE-2025-59230 targets the Remote Access Connection Manager (RasMan) and is the first RasMan zero-day observed in attacks. All three exploited flaws have been added to CISA’s Known Exploited Vulnerabilities catalogue, with US federal agencies required to remediate by 4 November 2025.

The bulletin also flags several high‑severity issues: a WSUS remote code execution (CVE-2025-59287), a Windows URL parsing RCE (CVE-2025-59295), and two CVSS 9.9 issues — a Microsoft Graphics privilege escalation (CVE-2025-49708) that can lead to full VM escape, and an ASP.NET security‑feature bypass (CVE-2025-55315) that enables request smuggling under authenticated sessions.

Key Points

  • Microsoft patched 183 vulnerabilities in October 2025: 165 rated Important, 17 Critical, 1 Moderate.
  • Two Windows zero-days are actively exploited: CVE-2025-24990 (Agere modem driver) and CVE-2025-59230 (RasMan); both enable privilege escalation.
  • CVE-2025-24990 is particularly serious because the vulnerable Agere driver ships with every Windows build — Microsoft will remove the legacy driver instead of issuing a traditional patch.
  • The IGEL OS Secure Boot bypass (CVE-2025-47827) requires local/physical access and can enable kernel‑level compromise of virtual desktop environments.
  • All three exploited vulnerabilities are on CISA’s KEV list; federal agencies must patch by 4 November 2025.
  • Other critical flaws include WSUS RCE (CVE-2025-59287), Windows URL parsing RCE (CVE-2025-59295), Graphics component VM‑escape (CVE-2025-49708) and an ASP.NET bypass (CVE-2025-55315).
  • Many vendors released updates in this window; organisations should prioritise patching exposed systems (especially WSUS hosts, legacy drivers and virtualisation hosts).

Why should I read this?

Short version: patch now. One of the zero‑days comes from a legacy modem driver that ships with every Windows install, so even machines without modems can be hit. We’ve cut through the noise — this summary tells you which bugs matter, why they’re dangerous and what to fix first.

Source

Source: https://thehackernews.com/2025/10/two-new-windows-zero-days-exploited-in.html