Microsoft addressed 175 vulnerabilities affecting its core products and underlying systems, including two actively exploited zero-days, the company said in its latest security update. It’s the largest assortment of defects disclosed by the tech giant this year.

The zero-day vulnerabilities — CVE-2025-24990 affecting Agere Windows Modem Driver and CVE-2025-59230 affecting Windows Remote Access Connection Manager — both have a CVSS rating of 7.8. The Cybersecurity and Infrastructure Security Agency added both zero-days to its known exploited vulnerabilities catalog Tuesday.

Microsoft said the third-party Agere Modem drive that ships with supported Windows operating systems has been removed in the October security update. Fax modem hardware that relies on the driver will no longer work on Windows, the company said.

Attackers can achieve administrator privileges by exploiting CVE-2025-24990. “All supported versions of Windows can be affected by a successful exploitation of this vulnerability, even if the modem is not actively being used,” Microsoft said in its summary of the defect.

The improper access control vulnerability affecting Windows Remote Access Connection manager can be exploited by an authorized attacker to elevate privileges locally and gain system privileges, Microsoft said. 

Windows Remote Access Connection Manager, a service used to manage remote network connections through virtual private networks and dial-up networks, is a “frequent flyer on Patch Tuesday, appearing more than 20 times since January 2022,” Satnam Narang, senior staff research engineer at Tenable, said in an email. “This is the first time we’ve seen it exploited in the wild as a zero day.”

The most severe vulnerabilities disclosed this month include CVE-2025-55315 affecting ASP.NET core and CVE-2025-49708 affecting Microsoft Graphics Component. Microsoft said exploitation of the defects is less likely, but both have a CVSS rating of 9.9.

Microsoft flagged 14 defects as more likely to be exploited this month, including a pair of critical vulnerabilities with CVSS ratings of 9.8 — CVE-2025-59246 affecting Azure Entra ID and CVE-2025-59287 affecting Windows Server Update Service.

The vendor disclosed five critical and 121 high-severity vulnerabilities this month. The full list of vulnerabilities addressed this month is available in Microsoft’s Security Response Center.

The post Microsoft’s Patch Tuesday fixes 175 vulnerabilities, including two actively exploited zero-days appeared first on CyberScoop.

Cisco disclosed a maximum-severity vulnerability affecting its Secure Firewall Management Center Software that could allow unauthenticated attackers to inject arbitrary shell commands and execute high-privilege commands, the vendor said in a security advisory Thursday. 

The enterprise networking vendor said it discovered the vulnerability — CVE-2025-20265 — during internal security testing. Cisco released a patch for the defect along with a series of 29 vulnerabilities in other Cisco Secure technologies. 

“To date, Cisco’s Product Security Incident Response Team (PSIRT) is not aware of any malicious use or exploitation of this vulnerability, and we strongly urge customers to upgrade to update releases,” a Cisco spokesperson told CyberScoop. “If an immediate upgrade is not feasible, implement a mitigation as outlined in the advisory.”

The disclosure marks yet another vulnerability in a widely used edge technology — a common and persistent point of intrusion for attackers. Edge technologies, including VPNs, firewalls and routers, harbored the four most frequently exploited vulnerabilities in 2024, according to Mandiant’s M-Trends report released earlier this year. 

“Anytime you see ‘remote, unauthenticated command injection,’ you should be concerned,” Nathaniel Jones, VP of security and AI strategy at Darktrace, told CyberScoop. “These are exactly the types of vulnerabilities that pose significant danger because they are highly attractive to nation-state actors like Salt Typhoon — and such groups are likely to move quickly to exploit them.” 

Darktrace hasn’t observed exploitation in the wild, nor is it aware of a proof-of-concept exploit. “But, this type of vulnerability means the clock is ticking. I’d bet a proof-of-concept is available come Monday,” Jones said. 

The remote-code execution vulnerability, which has a CVSS rating of 10, involves improper handling of user input during the authentication phase. “For this vulnerability to be exploited, Cisco Secure FMC Software must be configured for RADIUS (remote authentication dial-in user service) authentication for the web-based management interface, SSH (secure shell) management, or both,” Cisco said in the advisory.

The vulnerability affects Cisco Secure FMC Software versions 7.0.7 and 7.7.0 with RADIUS authentication enabled. The platform allows customers to configure, monitor, manage and update firewall controls. 

“The vulnerability means that no credential is needed nor proximity, and you can get full privileges,” Jones added. “The improper-input handling could let an attacker craft authentic packets containing malicious payloads that escape the intended command context and run arbitrary OS commands.”

The vendor said there are no workarounds for the vulnerability, and it confirmed the defect does not affect Cisco Secure Firewall Adaptive Security Appliance Software or Cisco Secure Firewall Threat Defense Software.

Jones said the maximum-severity vulnerability accentuates the unflattering security posture of edge devices and their development lifecycles. “It just reinforces why they’re attacked — because they sit at network boundaries where attackers can reach them without stepping inside first, often have high privileges and broad visibility and the gatekeeper can bypass multiple layers of security at once,” he said.

Cisco encouraged customers to determine exposure to CVE-2025-20265 and other vulnerabilities by running the Cisco Software Checker, which identifies vulnerabilities impacting specific software releases.

The post Cisco discloses maximum-severity defect in firewall software appeared first on CyberScoop.