Patchday XXL: Microsoft Closes Partially Actively Exploited Vulnerabilities
As part of an extensive patching round, Microsoft has fixed critical Azure and Office vulnerabilities, among others, and also addressed three active exploits.
(Image: heise online)
With more than 170 closed security vulnerabilities, Microsoft's Microsoft's patch day this month was unusually extensive. Among other things, 17 fixes for critical vulnerabilities are available for Azure, Copilot, Office, and the Windows Server Update Service (WSUS). Furthermore, three actively exploited vulnerabilities classified as "Important" make the (ideally automatic) installation of available updates particularly urgent.
Active Exploits...
According to Microsoft's related advisories, active exploits target the Windows Remote Access Connection Manager (CVE-2025-59230, CVSS score 7.8), an old Agere modem driver (CVE-2025-24990, 7.8), and the Linux-based IGEL OS, usable on Windows systems (CVE-2025-47827, 4.6).
The Remote Access Connection Manager will be secured against local attackers in the future, who could have escalated their privileges through the vulnerability. According to the security advisory, the Agere driver (ltmdm64.sys) has been completely removed – and with it another possibility for local attackers to gain administrative rights in the worst case.
Videos by heise
The attack vector via IGEL OS, which requires physical access and is therefore only rated "Medium", has been blocked by an update to the Linux operating system included with the patch day. However, the exploit possibility likely affected only a few specially configured systems beforehand.
... and Critical Vulnerabilities
Microsoft classifies the following newly patched vulnerabilities as critical:
- AMD: RMP Corruption During SNP Initialization (CVE-2025-0033)
- Azure Compute Gallery Elevation of Privilege (CVE-2025-59292)
- Azure Entra ID Elevation of Privilege (CVE-2025-59218)
- Azure Entra ID Elevation of Privilege (CVE-2025-59246)
- Azure Monitor Log Analytics Spoofing (CVE-2025-55321)
- Azure PlayFab Elevation of Privilege (CVE-2025-59247)
- Confidential Azure Container Instances Elevation of Privilege (CVE-2025-59291)
- Copilot Spoofing Vulnerability (CVE-2025-59272)
- Copilot Spoofing Vulnerability (CVE-2025-59286)
- M365 Copilot Spoofing Vulnerability Microsoft Office Remote Code Execution (CVE-2025-59252)
- LibTIFF Heap Buffer Overflow Vulnerability (CVE-2016-9535)
- Redis Enterprise Elevation of Privilege Vulnerability (CVE-2025-59271)
- Windows Graphics Component Remote Code Execution (CVE-2025-49708)
- Windows Server Update Service (WSUS) Remote Code Execution (CVE-2025-59287)
- Microsoft Excel Remote Code Execution (CVE-2025-59236)
- Microsoft Office Remote Code Execution (CVE-2025-59227)
- Microsoft Office Remote Code Execution (CVE-2025-59234)
In this context, the highest CVSS scores were assigned to the vulnerabilities CVE-2025-59246 in Azure Entra ID, CVE-2025-59287 in WSUS (each 9.8 out of 10), and CVE-2025-49708 in a Windows graphics component (9.9).
Numerous security vulnerabilities could, under certain circumstances, be misused as an entry point for executing malicious code remotely (Remote Code Execution) – and thus, for example, for injecting malware like ransomware or for remotely controlling vulnerable systems.
Further Patches & Information
Microsoft has marked many of the other available updates as "Important" or rated them as "High". They target, among others, the .NET Framework, various Office components, PowerShell, and the operating system kernel.
Microsoft provides detailed information on all security vulnerabilities and patches in the Security Update Guide.
(ovw)
