Patch Tuesday: Home windows 10 finish of life ache for IT departments

The day Microsoft formally ended assist for Home windows 10 has coincided with a Patch Tuesday replace, with a number of zero-day flaws that attackers may exploit to focus on the older Home windows working system.

Amongst these is CVE-2025-24990, which covers a legacy system driver that Microsoft has eliminated completely from Home windows. “The lively exploitation of CVE-2025-24990 within the Agere Modem driver (ltmdm64.sys) reveals the safety dangers of sustaining legacy elements inside trendy working methods,” warned Ben McCarthy, lead cyber safety engineer at Immersive.

“This driver, which helps {hardware} from the late Nineties and early 2000s, predates present safe improvement practices and has remained largely unchanged for years,” he stated. “Kernel-mode drivers function with the best system privileges, making them a main goal for attackers looking for to escalate their entry.”

McCarthy stated risk actors are utilizing this vulnerability as a second stage for his or her operations. “The assault chain sometimes begins with the actor gaining an preliminary foothold on a goal system by widespread strategies like a phishing marketing campaign, credential theft, or by exploiting a unique vulnerability in a public-facing software,” he stated.

McCarthy added that Microsoft’s determination to take away the motive force completely, reasonably than problem a patch, is a direct response to the dangers related to modifying unsupported, third-party legacy code. “Makes an attempt to patch such a element may be unreliable, doubtlessly introducing system instability or failing to handle the basis explanation for the vulnerability utterly,” he stated.

In eradicating the motive force from the Home windows working system, McCarthy stated Microsoft has prioritised lowering the assault floor over absolute backward compatibility. “By eradicating the weak and out of date element, the potential for this particular exploit is zero,” he stated. “The safety threat offered by the motive force was decided to be larger than the requirement to proceed supporting the outdated {hardware} it serves.”

McCarthy stated this method demonstrates that an efficient safety technique should embrace the lifecycle administration of outdated code, the place elimination is usually extra definitive and safe than patching.

One other zero-day flaw that’s being patched considerations the Trusted Platform Module from the Trusted Computing Group (TCG). Adam Barnett, lead software program engineer at Rapid7, famous that the CVE-2025-2884 flaw considerations TPM 2.0 reference implementation, which, beneath regular circumstances, is more likely to be replicated within the downstream implementation by every producer.

“Microsoft is treating this as a zero-day regardless of the curious circumstance that Microsoft is a founder member of TCG, and thus presumably aware of the invention earlier than its publication,” he stated. “Home windows 11 and newer variations of Home windows Server obtain patches. Rather than patches, admins for older Home windows merchandise resembling Home windows 10 and Server 2019 obtain one other implicit reminder that Microsoft would strongly desire that everybody improve.”

One of many patches categorized as “important” has such a profound impression that some safety specialists advise IT departments to patch instantly. McCarthy warned that the CVE-2025-49708 important vulnerability within the Microsoft Graphics Part, though classed as an “elevation of privilege” safety problem, has a extreme real-world impression.

“It’s a full digital machine [VM] escape,” he stated. “This flaw, with a CVSS rating of 9.9, utterly shatters the safety boundary between a visitor digital machine and its host working system.”

McCarthy urged organisations to prioritise patching this vulnerability as a result of it invalidates the core safety promise of virtualisation.

“A profitable exploit means an attacker who positive aspects even low-privilege entry to a single, non-critical visitor VM can escape and execute code with system privileges instantly on the underlying host server,” he stated. “This failure of isolation means the attacker can then entry, manipulate or destroy knowledge on each different VM working on that very same host, together with mission-critical area controllers, databases or manufacturing purposes.”