October 2025 was marked by a series of high-impact vulnerabilities targeting core enterprise software, cloud identity platforms, and virtualization frameworks. Several of these flaws were classified as Critical, with confirmed active exploitation in the wild and immediate additions to the CISA Known Exploited Vulnerabilities catalog.
The most severe issues centered on Microsoft WSUS, Azure Entra ID, and the Microsoft Graphics Component, each exposing systems to unauthenticated remote code execution or tenant-level privilege escalation. Broadcom’s VMware products and Control Web Panel also faced confirmed exploitation, leading to full system compromise in unpatched environments.
What We'll Cover
- Severity & Score: Critical (CVSS v3.1: 9.8)
- Type: Remote Code Execution (RCE) via Unsafe Deserialization (CWE-502)
- Disclosure: October 24, 2025 (Urgent Out-of-Band Update)
- Exploitation Status: Actively Exploited In The Wild (Confirmed by CISA KEV on October 24, 2025)
This flaw is a critical unauthenticated RCE impacting the Windows Server Update Services (WSUS). The vulnerability exists in the WSUS reporting web services, specifically in the way the application handles the decryption and subsequent deserialization of untrusted data (a malicious AuthorizationCookie). An attacker sends a crafted SOAP request to the /ClientWebService/Client.asmx endpoint, which is processed by the vulnerable EncryptionHelper.DecryptData(). This function uses a hardcoded key, enabling the attacker to decrypt and subsequently deserialize a malicious gadget chain payload (often created using tools like ysoserial.net). This process grants the attacker the ability to execute arbitrary code with SYSTEM privileges on the vulnerable server, often observed deploying ransomware or establishing C2 channels via DNS exfiltration.
Mitigation Strategies:
The October 2025 OOB Microsoft update must be applied immediately. Due to the rapid and widespread exploitation following the initial disclosure, exposed WSUS instances should be treated as potentially compromised. Furthermore, organizations must restrict all inbound traffic to the WSUS ports (typically 8530 and 8531 over HTTP and HTTPS) to only trusted internal sources.
- Severity & Score: Critical (CVSS v3.1: 9.9)
- Type: Elevation of Privilege (EoP) / Remote Code Execution (RCE) via Use-After-Free (UAF)
- Disclosure: October 14, 2025 (Patch Tuesday)
- Exploitation Status: No confirmed active exploitation, though the high severity dictates immediate action.
Tracked as a memory corruption issue, this flaw is rooted in a Use-After-Free (CWE-416) bug within the Microsoft Graphics Component. The CVSS vector, AV:N/AC:L/PR:L/UI:N/S:C, is particularly alarming as it signifies that exploitation is Network based, requires only Low Privileges, no user interaction, and results in a Changed Scope (S:C). This scope change is critical because it indicates the ability to break out of a security boundary. In virtualized environments, this vulnerability carries a significant risk of VM escape, allowing an attacker who gains low-privilege access to a guest VM to execute code with SYSTEM privileges on the underlying host hypervisor.
Mitigation Strategies:
Full application of all Microsoft security updates released on Patch Tuesday (October 2025) is mandatory. Due to the vector targeting the graphics component, ensuring browsers and other media-rendering applications are fully updated is also a necessary defense-in-depth measure.
CVE-2025-59246: Microsoft Azure Entra ID Privilege Escalation Vulnerability
- Severity & Score: Critical (CVSS v3.1: 9.8)
- Type: Elevation of Privilege (EoP) via Missing Authentication for Critical Function (CWE-306)
- Disclosure: October 9, 2025 (Patch Tuesday)
- Exploitation Status: No confirmed active exploitation.
This severe vulnerability resides within the core identity service, Azure Entra ID (formerly Azure Active Directory). The flaw is categorized as a Missing Authentication for Critical Function, which allows an unauthenticated attacker (PR:N) to exploit an API or service endpoint to gain unauthorized administrative privileges within a target tenant. The attack has Network vector and Low Attack Complexity, leading to High impacts across Confidentiality, Integrity, and Availability (C:H/I:H/A:H). Successful exploitation could result in full tenant compromise, allowing identity manipulation, policy modification, and access to protected cloud resources, making it one of the most severe cloud identity flaws of the year.
Mitigation Strategies:
Since this is a cloud-based service, verification that all server-side patches and configuration updates from October 2025 have been applied is essential. Organizations must enforce Zero Trust principles, including mandatory Multi-Factor Authentication (MFA) for all administrative accounts and adopting Just-in-Time (JIT) access for all privileged roles.
CVE-2025-59236: Microsoft Excel Remote Code Execution Vulnerability
- Severity & Score: High (Vendor-classified as Critical, CVSS v3.1: 8.4)
- Type: Remote Code Execution (RCE) via Use-After-Free (UAF)
- Disclosure: October 14, 2025 (Patch Tuesday)
- Exploitation Status: No confirmed active exploitation.
This is a desktop application RCE vulnerability within Microsoft Excel, categorized as a Use-After-Free (CWE-416). The attack vector is local, requiring an attacker to persuade a user to open a specially crafted Excel file (AV:L/UI:R). Once opened, the file triggers the memory corruption vulnerability, allowing code execution with the privileges of the logged-in user. While the RCE is local, the high prevalence of phishing and malicious document delivery makes this a critical risk for enterprise endpoints. The high impact score (C:H/I:H/A:H) reflects the complete loss of confidentiality and integrity of the user’s system upon successful exploitation.
Mitigation Strategies:
All security updates for Microsoft Office released in October 2025 must be deployed. Furthermore, organizational policy should disable macros by default, or strictly limit their execution to only signed macros from verified, trusted publishers to prevent the execution of malicious payloads often associated with these vulnerabilities.
CVE-2025-48703: CWP Control Web Panel OS Command Injection
- Vendor: Control Web Panel (CWP) / CentOS Web Panel
- Severity & Score: Critical (CVSS v3.1: 9.0)
- Type: OS Command Injection (CWE-78)
- Disclosure: September 19, 2025
- Exploitation Status: Actively Exploited In The Wild (Widespread in Oct 2025, added to CISA KEV on November 4, 2025)
This flaw allows for unauthenticated Remote Code Execution (RCE) in CWP versions prior to 0.9.8.1205. The vulnerability exploits improper neutralization of special elements, allowing an attacker to inject shell metacharacters into the t_total parameter of a filemanager changePerm request. While technically the exploit complexity is rated as High (AC:H), automated tools and public Proof-of-Concept (PoC) code have made mass exploitation easy. Attackers can execute arbitrary operating system commands, often leading to server takeover and subsequent webshell or backdoor placement.
Mitigation Strategies:
System administrators must immediately upgrade Control Web Panel to version 0.9.8.1205 or later. Given the active exploitation, administrative interface access must be immediately restricted to only specific, trusted IP ranges to prevent opportunistic internet scanning and attacks.
CVE-2025-41244: Broadcom VMware Aria Operations / VMware Tools Privilege Escalation
- Vendor: Broadcom (VMware)
- Severity & Score: High (CVSS v3.1: 7.8)
- Type: Local Privilege Escalation (LPE) via Privilege Defined with Unsafe Actions (CWE-267)
- Disclosure: September 29, 2025
- Exploitation Status: Actively Exploited In The Wild (Added to CISA KEV on October 30, 2025)
This is a dangerous Local Privilege Escalation (LPE) vulnerability that affects both VMware Tools and VMware Aria Operations when the Service Discovery Management Pack (SDMP) is enabled. The root cause is an insecure configuration or unsafe action where a privileged service executes non-system binaries from user-writable directories (like /tmp) as part of its service discovery process. Specifically, a local, non-administrative user can place a malicious executable in a predictable path (e.g., /tmp/httpd) which is then executed with root privileges by the vmtoolsd or Aria collector scripts. The vulnerability was confirmed to be actively used by the Chinese state-sponsored threat actor UNC5174 long before public disclosure.
Mitigation Strategies:
All vendor patches must be applied immediately, including VMware Tools 13.0.5, 12.5.4, and Aria Operations 8.18.5, released in October 2025. Organizations should follow CISA BOD 22-01 guidance to prioritize the remediation of this KEV-listed vulnerability.
October 2025 showed that critical vulnerabilities can be weaponized almost immediately after disclosure. From remote code execution in WSUS to privilege escalation in cloud and virtual environments, attackers are moving faster than patch cycles. Prompt application of security updates, strict control over administrative and network access, and continuous monitoring are now essential for enterprise resilience.
Learn how our cybersecurity expertise helps you stay ahead of emerging threats and protect your most critical assets.
