Record Patch Tuesday: Microsoft Fixes 175 Vulnerabilities, Critical ASP.NET Core CVE Scores 9.9
Microsoft’s October 2025 Patch Tuesday delivers a record 175 security fixes, including two actively exploited zero-days and a critical ASP.NET Core vulnerability (CVE-2025-55315) with a CVSS 9.9 rating. This update also marks the end of support for Windows 10.
Key Takeaways
- A record 175 vulnerabilities were patched, the highest number for the year.
- Two zero-day vulnerabilities (CVE-2025-24990 and CVE-2025-59230) were actively exploited.
- Windows 10 has reached its end of support, requiring users to enroll in Extended Security Updates.
- Several critical vulnerabilities with high CVSS scores were addressed.
A Record-Breaking Patch Release
This month's Patch Tuesday is notable for its sheer volume, with Microsoft addressing 175 Common Vulnerabilities and Exposures (CVEs). This figure surpasses all previous Patch Tuesday releases for the year and pushes the total number of patched vulnerabilities past last year's annual count. The update covers a wide array of Microsoft products, including Windows, Office, Azure, Hyper-V, GitHub, Exchange Server, and BitLocker.
Actively Exploited Zero-Days Addressed
Two zero-day vulnerabilities were among the most critical issues patched. CVE-2025-24990, affecting the Agere Windows Modem Driver, and CVE-2025-59230, impacting the Windows Remote Access Connection Manager, both carried a CVSS score of 7.8. The Cybersecurity and Infrastructure Security Agency (CISA) has added these to its Known Exploited Vulnerabilities catalog. Microsoft has removed the Agere modem driver, rendering affected hardware non-functional on Windows, and is urging users to remove any dependencies on it.
Critical Vulnerabilities and High-Severity Flaws
Beyond the zero-days, Microsoft's update tackles numerous other high-priority vulnerabilities. Among the most severe are CVE-2025-55315 affecting ASP.NET Core and CVE-2025-49708 impacting the Microsoft Graphics Component, both with a CVSS score of 9.9. Additionally, 14 vulnerabilities were flagged as more likely to be exploited, including CVE-2025-59246 (Azure Entra ID) and CVE-2025-59287 (Windows Server Update Service), both with CVSS ratings of 9.8.
End of an Era: Windows 10 Support Concludes
This October's Patch Tuesday also signifies the end of support for Windows 10. Microsoft has released its final cumulative update for the operating system. Users and organizations still running Windows 10 will need to subscribe to the Extended Security Updates (ESU) program to continue receiving security patches. Several other Microsoft products, including Exchange Server 2016 and 2019, and Office 2016/2019, have also reached their end of support.
Recommendations for Users
Microsoft strongly advises users to apply these updates promptly to protect against potential exploitation. Before deploying updates, it is recommended to back up systems. Organizations should conduct thorough testing before widespread deployment to avoid potential compatibility issues. The sheer number and severity of vulnerabilities patched underscore the importance of maintaining a robust patch management strategy.
