Update Windows 10 and 11 security now, CISA demands.
NurPhoto via Getty Images
Updated October 18 with expert comment regarding CVE-2025-24990, which is now confirmed as residing in “legacy code installed by default on all Microsoft Windows systems.”
Users of Microsoft operating systems, including Windows and Server of all varieties, are always braced for the second Tuesday of the month. Patch Tuesday is when the tech behemoth rolls out a swathe of security updates addressing the latest vulnerabilities to impact consumers and businesses alike. This month has seen a record-breaking 196 Common Vulnerabilities and Exposures addressed in total, eclipsing the previous highest monthly number of 161. This is truly massive when viewed through the lens of total vulnerabilities for 2024, which was itself a record-breaker.
While the total number of vulnerabilities includes both direct and third-party CVEs, there are two that have risen to the top of the update now pile: CVE-2025-59230 and CVE-2025-24990. So much so, in fact, that America’s Cyber Defense Agency, the Cybersecurity and Infrastructure Security Agency, has issued a two-week deadline for Federal Civilian Executive Branch agencies to update and “urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation.” Here’s what you need to know and do.
Patch These Microsoft Windows Vulnerabilities Now, CISA Warns
The latest CISA warning, gives those FCEB agencies that fall under the remit of Binding Operational Directive 22-01 just two weeks as of October 14 to update their systems to protect against the two aforementioned Microsoft Windows security vulnerabilities. Whether that includes you or not, you would be foolish in the extreme not to follow suit and protect your systems and processes if impacted by the CVEs in question.
The first is CVE-2025-59230 which Microsoft describes as being an “Improper access control in Windows Remote Access Connection Manager,” that “allows an authorized attacker to elevate privileges locally.” This is a zero-day in that it has already been exploited in the wild as of October 14, when Microsoft released details of the patch.
“Local elevation of privilege is always attractive to an attacker,” Adam Barnett, lead software engineer at Rapid7, told me, “since even if it doesn’t get them where they need to be, it can provide an important link in the chain.”
The second is CVE-2025-24990, another zero-day threat, this time described as a vulnerability in “the third party Agere Modem driver that ships natively with supported Windows operating systems.”
“The active exploitation of CVE-2025-24990 in the Agere Modem driver (ltmdm64.sys) shows the security risks of maintaining legacy components within modern operating systems,” Ben McCarthy, lead cyber security engineer at Immersive warned. “This driver, which supports hardware from the late 1990s and early 2000s, predates current secure development practices and has remained largely unchanged for years.” McCarthy is correct in applauding Microsoft for its “decision to remove the driver entirely, rather than issue a patch” as attempting to fix such legacy code is fraught with uncertainty, stating that the action “prioritizes attack surface reduction over absolute backward compatibility.”
That’s the good news.
The bad news is that such legacy code, installed by default on all Windows systems, is likely to have been sitting there vulnerable for years, decades even.
“It’s an Untrusted Pointer Dereference flaw that lets attackers manipulate memory with kernel-level privileges due to improper validation of user-supplied pointers,” Alex Vovk, CEO and co-founder of Action1, said, continuing, “the issue is especially concerning because it resides in legacy code installed by default on all Windows systems, regardless of whether the associated hardware is present or in use.” Just let that sink in for a moment or three: every Windows system, whether you use the hardware it’s associated with or not. Wowsers!
But it gets worse, “in sophisticated attack chains,”Volk said, “it can escape sandboxes, establish persistence, deploy additional malware with system privileges, move laterally, and compromise security tools.”
Volk estimated that the impact of the vulnerability is incredibly broad, with potentially 90 to 95% of Microsoft Windows-based organizations affected. “Beyond the immediate security risk,” Volk concluded, “organizations using Agere modem hardware will face compatibility issues, as the hardware will cease to function after the October update.”
First Appeared on
Source link
