Cybersecurity Weekly Update: 13–22 October 2025
- SOC Team
- Oct 22
- 3 min read
1. Record‑Breaking Patch Tuesday from Microsoft
On 14 October 2025, Microsoft released its largest‐ever Patch Tuesday cycle — addressing approximately 175 vulnerabilities across Windows, Office, Azure and other products. (itbriefcase.net) Notably:
Three zero‑days (CVE‑2025‑24990, CVE‑2025‑59230, CVE‑2025‑47827) are confirmed to be actively exploited in the wild. (Hackread)
A breakdown indicates 83 elevation‑of‑privilege (EoP) bugs, 30 remote‑code execution (RCE) issues & 26 information‐disclosure flaws. (SOCRadar® Cyber Intelligence Inc.)
Windows 10 is effectively at its free end‑of‑life for standard support; organisations still running it must consider Extended Security Updates (ESU) or migration. (Dark Reading) Why it matters: For sectors such as defence, finance, healthcare and education — where compromised systems can result in data exfiltration, regulatory fines or disruption of critical services — this release demands immediate patch‑prioritisation. Action: Review and apply Microsoft’s October updates urgently. Prioritise systems with exposed remote access, legacy drivers (like the Agere modem driver) and Windows 10 endpoints.
2. Attack Chain Example: Social Engineering → Domain Controller → Ransomware
A recent incident (reported mid‑October) illustrates a mature attack chain: starting with a vishing social‑engineering call to capture VPN credentials; followed by DCSync on a domain controller, exfiltration (~400 GB), deployment of RAT + AnyDesk, and encryption of ~60 VMware ESXi hosts. (News, Events, Advertising Options)
Why it matters: Educational institutions and healthcare providers often have VPN access, legacy infrastructure and limited telemetry — making them attractive to these kinds of attacks.
Action: Enforce multi‑factor authentication (MFA) for all remote access; restrict service‐account interactive logons; ensure endpoint telemetry is broad (not minimal); review segmentation and EOL infrastructure.
3. Critical Vulnerabilities: Zero‑Days and Wormable Bugs
Several high‑severity vulnerabilities grabbed attention:
The Agere modem driver vulnerability (CVE‑2025‑24990) in Windows allows privilege escalation even if the modem isn’t in use — Microsoft removed the driver. (Help Net Security)
CVE‑2025‑59230 in Windows Remote Access Connection Manager (RasMan) allows escalation to SYSTEM. (CrowdStrike)
Vulnerabilities in Microsoft Message Queuing (MSMQ) including 20+ CVEs with wormable potential. (ThreatsHub) Why it matters: These bugs pose significant risk especially in regulated industries where server‑to‑server compromise can lead to large‐scale damage. Action: Beyond patching, confirm that your patching process covers all Windows variants including embedded/legacy systems; inventory legacy drivers and services; and ensure defensive controls (like least privilege, EDR, alerting) are enabled.
4. Supply Chain and Vendor Risk Remain Front‑of‑Mind
The week also saw fresh reminders that vendor and supply‑chain risk are ongoing threats: for example, third‑party vendors or OEM drivers (like the Agere driver above) continue to be exploited. Further, threat actors are increasingly targeting less hardened access paths (help‑desk credentials, service accounts).
Why it matters: In healthcare and education especially, many organisations rely on third‑party vendors, outsourced services and legacy systems. A weakness in one supplier can become a breach in the main organisation.
Action: Review vendor contracts/assessments; ensure you have visibility into outsourced platforms; enforce access limits for third‑party accounts; include vendor‑patching and vendor‑audit in your cyber programme.
5. Recommended Immediate Steps for Our Customers
Patch as priority: Apply Microsoft’s October 2025 updates immediately; check legacy Windows 10 and Windows Server systems.
Audit remote access: Confirm MFA is enforced on VPNs/remote access; review service accounts; limit interactive use.
Strengthen vendor & supply chain controls: Map your third‑party dependencies (especially in defence, finance, healthcare, education segments); enforce auditing, contractual safeguards and periodic security reviews.
Ensure telemetry and incident readiness: Organisations with limited endpoint monitoring or segmented infrastructure are at higher risk — invest in improved visibility, segmentation and incident‑response planning.
Legacy systems = higher risk: Systems using outdated drivers, unsupported OS, or rarely‐updated infrastructure (e.g., OT/ICS, old VM hosts) represent attractive targets — treat them as high‑risk.
