Spooky season is in full swing, and this extends to Microsoft's October Patch Tuesday with security updates for a frightful 175 Microsoft vulnerabilities, plus an additional 21 non-Microsoft CVEs. And even scarier than the sheer number of bugs: three are listed as under attack, with three others publicly known, and 17 deemed critical security holes.
Let's start with the flaws that attackers already found and exploited before Redmond pushed patches.
Three other bugs are listed as publicly known, which means that attackers are likely already scanning for vulnerable software. These include:
In addition to the critical bug in some AMD EPYC processors, the other 16 critical-severity flaws in this month's Patch Tuesday can lead to elevation of privileges, spoofing, and remote code execution (RCE) with one of these garnering a nearly perfect, 9.8 CVSS severity score.
It's tracked as CVE-2025-59287, it exists in the Windows Server Update Services (WSUS), and allows a remote, unauthenticated attacker to send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism that results in RCE. ZDI's Childs says he suspects this bug will be targeted for attack soon.
"That means this is wormable between affected WSUS servers," Childs noted. "Since WSUS remains a critical piece of anyone's infrastructure, it's an attractive target for those looking to do harm. If you use WSUS, don't hesitate to test and deploy this update quickly."
Also on October Patch Tuesday, Adobe released 12 updates to fix 36 vulnerabilities in its products, none of which are listed as being exploited or publicly known. All five CVEs addressed in Adobe's Substance 3D Stager update are deemed critical as they allow arbitrary code execution, while the patch for Dimension fixes four critical code execution vulnerabilities. Two critical bugs in Illustrator and FrameMaker can also lead to code execution.
Meanwhile, updates for Adobe's other products - Commerce, Connect, Animate, Substance 3D Viewer, Experience Manager Screens, Substance 3D Modeler, Creative Cloud, and Bridge - fix a range of critical, important, and moderate flaws.
SAP today released 13 new security notes and four updates to previously released security notes. Four of these are rated critical, including a fix for maximum severity OS command execution flaw in Netweaver and an update to a September patch to fix another perfect-10-severity OS command execution bug in Netweaver.
Ivanti has joined the second-Tuesday patchapalooza with advisories for Endpoint Manager Mobile (four CVEs) and Neurons for MDM (three CVEs). None of these have been abused as of now, so make sure to apply the updates to avoid being victim zero. ®
Source: The register