Two New Windows Zero-Days Exploited in the Wild — One Affects Every Version Ever Shipped - The Hacker News

Two New Windows Zero-Days Exploited in the Wild — One Affects Every Version Ever Shipped Ravie LakshmananOct 15, 2025Vulnerability / Patch Tuesday Microsoft on Tuesday released fixes for a whopping 183 security flaws spanning its products, including three vulnerabilities that have come under active exploitation in the wild, as the tech giant officially ended support for its Windows 10 operating system unless the PCs are enrolled in the Extended Security Updates (ESU) program. Of the 183 vulnerabilities, eight of them are non-Microsoft issued CVEs. As many as 165 flaws have been rated as Important in severity, followed by 17 as Critical and one as Moderate. The vast majority of them relate to elevation of privilege vulnerabilities (84), with remote code execution (33), information disclosure (28), spoofing (14), denial-of-service (11), and security feature bypass (11) issues accounting for the rest. The updates are in addition to the 25 vulnerabilities Microsoft addressed in its Chromium-based Edge browser since the release of September 2025's Patch Tuesday update. The two Windows zero-days that have come under active exploitation are as follows - CVE-2025-24990 (CVSS score: 7.8) - Windows Agere Modem Driver ("ltmdm64.sys") Elevation of Privilege Vulnerability CVE-2025-59230 (CVSS score: 7.8) - Windows Remote Access Connection Manager (RasMan) Elevation of Privilege Vulnerability Microsoft said both issues could allow attackers to execute code with elevated privileges, although there are currently no indications on how they are being exploited and how widespread these efforts may be. In the case of CVE-2025-24990, the company said it's planning to remove the driver entirely, rather than issue a patch for a legacy third-party component. The security defect has been described as "dangerous" by Alex Vovk, CEO and co-founder of Action1, as it's rooted within legacy code installed by default on all Windows systems, irrespective of whether the associated hardware is present or in use. "The vulnerable driver ships with every version of Windows, up to and including Server 2025," Adam Barnett, lead software engineer at Rapid7, said. "Maybe your fax modem uses a different chipset, and so you don't need the Agere driver? Perhaps you've simply discovered email? Tough luck. Your PC is still vulnerable, and a local attacker with a minimally privileged account can elevate to administrator." According to Satnam Narang, senior staff research engineer at Tenable, CVE-2025-59230 is the first vulnerability in RasMan to be exploited as a zero-day. Microsoft has patched more than 20 flaws in the component since January 2022. The third vulnerability that has been exploited in real-world attacks concerns a case of Secure Boot bypass in IGEL OS before 11 (CVE-2025-47827, CVSS score: 4.6). Details about the flaw were first publicly disclosed by security researcher Zack Didcott in June 2025. "The impacts of a Secure Boot bypass can be significant, as threat actors can deploy a kernel-level rootkit, gaining access to the IGEL OS itself and, by extension, then tamper with the Virtual Desktops, including capturing credentials," Kev Breen, senior director of threat research at Immersive, said. "It should be noted that this is not a remote attack, and physical access is typically required to exploit this type of vulnerability, meaning that 'evil-maid' style attacks are the most likely vector affecting employees who travel frequently." All three issues have since been added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply the patches by November 4, 2025. Some other critical vulnerabilities of note include a remote code execution (RCE) bug (CVE-2025-59287, CVSS score: 9.8) in Windows Server Update Service (WSUS), an out-of-bounds read vulnerability in the Trusted Computing Group (TCG) TPM2.0 reference implementation's CryptHmacSign helper function (CVE-2025-2884, CVSS score: 5.3), and an RCE in Windows URL Parsing (CVE-2025-59295, 8.8). "An attacker can leverage this by carefully constructing a malicious URL," Ben McCarthy, lead cybersecurity engineer at Immersive, said about CVE-2025-59295. "The overflowed data can be designed to overwrite critical program data, such as a function pointer or an object's virtual function table (vtable) pointer." "When the application later attempts to use this corrupted pointer, instead of calling a legitimate function, it redirects the program's execution flow to a memory address controlled by the attacker. This allows the attacker to execute arbitrary code (shellcode) on the target system." Two vulnerabilities with the highest CVSS score in this month's update relate to a privilege escalation flaw in Microsoft Graphics Component (CVE-2025-49708, CVSS score: 9.9) and a security feature bypass in ASP.NET (CVE-2025-55315, CVSS score: 9.9). While exploiting CVE-2025-55315 requires an attacker to be first authenticated, it can be abused to covertly get around security controls and carry out malicious actions by smuggling a second, malicious HTTP request within the body of their initial authenticated request. "An organization must prioritize patching this vulnerability because it invalidates the core security promise of virtualization," McCarthy explained regarding CVE-2025-49708, characterizing it as a high-impact flaw that leads to a full virtual machine (VM) escape. "A successful exploit means an attacker who gains even low-privilege access to a single, non-critical guest VM can break out and execute code with SYSTEM privileges directly on the underlying host server. This failure of isolation means the attacker can then access, manipulate, or destroy data on every other VM running on that same host, including mission-critical domain controllers, databases, or production applications." Software Patches from Other Vendors In addition to Microsoft, security updates have also been released by other vendors over the past several weeks to rectify several vulnerabilities, including — Adobe Amazon Web Services AMD AMI Apple ASUS Axis Communications Broadcom (including VMware) Canon Check Point Cisco D-Link Dell Drupal Elastic F5 Fortinet Foxit Software FUJIFILM Gigabyte GitLab Google Chrome Google Cloud Google Pixel Watch Grafana Hitachi Energy HMS Networks (including Red Lion) Honeywell HP HP Enterprise (including Aruba Networking and Juniper Networks) IBM Ivanti Jenkins Lenovo Linux distributions AlmaLinux, Alpine Linux, Amazon Linux, Arch Linux, Debian, Gentoo, Oracle Linux, Mageia, Red Hat, Rocky Linux, SUSE, and Ubuntu MediaTek Mitsubishi Electric MongoDB Moodle Moxa Mozilla Firefox, Firefox ESR, and Thunderbird NVIDIA Oracle Palo Alto Networks Progress Software QNAP Qualcomm Ricoh Rockwell Automation Salesforce Samsung SAP Schneider Electric ServiceNow Siemens SolarWinds SonicWall Splunk Spring Framework Supermicro Synology TP-Link Unity Veeam, and Zoom Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  cybersecurity, Microsoft, patch Tuesday, remote code execution, Secure Boot, Vulnerability, Windows 10, zero-day Trending News OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries Load More ▼ Popular Resources Identity Controls Checklist: Find Missing Protections in Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths