Key Takeaways
October 14, 2025 marks the final publicly available security update for Windows 10 systems, Office 2016 and 2019, and Exchange 2016 and 2019. Microsoft will provide Extended Security Updates (ESU) support for Windows 10 for the next three years at an additional cost. Migration to Exchange Online or subscription edition is the path forward for Exchange users.
Microsoft resolved 172 new CVEs (highest in 2025 so far and possibly the highest in the history of Microsoft Patch Tuesday), including three known exploited and two public disclosures. Eight CVEs are rated Critical by Microsoft (five RCE, three Elevation of Privilege) and affect the Windows OS, Office and Azure.
Mozilla released five updates resolving 45 CVEs. Mozilla was very specific on some of the language used in three of the resolved CVEs. They state that some evidence of memory corruption was evident and could reflect exploitation though no confirmation is available yet. All five updates include at least one of the suspected exploit CVEs, so we recommend treating all five as containing a known exploited CVE.
Adobe released 12 updates addressing 36 CVEs. Adobe has rated the Commerce update as a priority two and the rest of the updates as priority three.
Ivanti releases standard security patches on the second Tuesday of every month. Our vulnerability management program is central to our commitment to maintaining secure products. Our philosophy is simple: discovering and communicating vulnerabilities, and sharing that information with defenders, is not an indication of weakness; rather it is evidence of rigorous scrutiny and a proactive vulnerability management program. By aggressively seeking to identify and address vulnerabilities, our aim is to get ahead of threat actors to ensure our customers can take the steps needed to protect their environments.
We believe that responsible transparency helps protect our customers, and that CVE disclosures are an essential and effective tool to communicate software vulnerabilities. The purpose of assigning a CVE is to provide a beacon to security teams and signal the need for urgent updates.
To that end, today Ivanti is disclosing vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) and Neurons for MDM.
More information on these vulnerabilities and detailed instructions on how to remediate the issues can be found in these Security Advisories:
In addition, Ivanti has issued a Security Advisory for Ivanti Endpoint Manager, which provides mitigation options for vulnerabilities disclosed October 7, 2025. It is important for customers to know:
We have no evidence of any of these vulnerabilities being exploited in the wild.
These vulnerabilities do not impact any other Ivanti solutions.
CSP Global Support team is always available to help customers and partners should they have any questions.