…“The vulnerable driver ships with every version of Windows, up to and including Server 2025,” Adam Barnett, lead software engineer at Rapid7, said. “Maybe your fax modem uses a different chipset, and so you don’t need the Agere driver? Perhaps you’ve simply discovered email? Tough luck. Your PC is still vulnerable, and a local attacker with a minimally privileged account can elevate to administrator.”…
To anyone misreading this, these exploits were patched yesterday and thus were included as the final patch for Windows 10 before the extended security updates requirements kick in.
Known exploits are always reported to the company first to give them time to patch it before releasing info on the exploits.
All Windows 10 users will continue to have access to the patches in this final freely available patch Tuesday for Windows 10. They just can’t get new updates without joining the ESU program.
I hate Microsoft too and only use Linux, but let’s stop the circlejerk of false claims here please and thank you.
Zero-day means the company had 0 days to fix it before the exploits were made public. Maybe the headline is wrong?
Nope 0 days means
Zero-day vulnerability: A software flaw that attackers discover before the developer does.
Zero-day exploit: The method hackers use to take advantage of this unknown vulnerability.
Zero-day attack: An attack that uses a zero-day exploit to damage a system, steal data, or plant malware before a patch is available. This is a serious risk because no defenses are in place for this specific flaw yet.
The first is the most common one found in the press and is usually reported to the company so they can patch it, before press release.
But it would be weird to call something a “zero-day” if it wasn’t being exploited. Like if I discover a vuln, it shouldn’t be considered a zero-day, even if I report it, if I’m not exploiting it in the wild.
Ahh TIL. Thanks for the clarification!
Perhaps, either that or they made a very quick fix making updates to address them the day before this patch release.
People have probably been sitting on exploits for months or longer. There will probably be another wave after the 1 year extended support ends.
So stick with my Linux and don’t boot into Windows again. Got it.
Lots of these exploits can be very specific cases so aren’t going to threaten the average user. However the point is, Windows 10 is now a huge target and there are lots who would love to take advantage of a freshly open gate.
This is fixed, and the attacker required physical access to the hardware.
It will be interesting what happens with this Windows 10 end of support, this just happens to crop up the day after support ends.
The exploits are addressed in the patch released yesterday, on the final day of support.
Generally such exploits aren’t released to the public until they have been patched, to prevent wider abuse of the exploits in the meantime.
https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-24990
As you can see here near the bottom of the page it lists security updates for this epxloit having been released on October 14rh, 2025, the final day of Win10 support. These updates will still be available to Windows 10 systems even after October 14th, they will just be unable to get new patches after that date.
So will MS leave people in the lurch or issue an emergency patch? The former will drive people straight to replacements and the community need to be like a predator ready to move in to injured prey.
If we don’t it will be a massive opportunity lost.
Why not bother reading the comment you responded to?
The patch has already been released, that’s literally my point. It was part of their final patches released for Windows 10 yesterday.
This is from the CVE page for the exploits discussed in the srticle.
yeah, the timing is ‘interesting’
Fixed and required physical access to the machine. If someone malicious has physical access to your machine you’re already done.
And it’s not likely to be the last.
If true:
Totally none did wait for most popular win10 end supports…
If fake:
Totally none sus this for being fake scarecrow against anyone who would like to stay on non-service, standalone system.
