Patch Tuesday Mayhem: Zero-Days, Critical ICS Flaws, and Why Synced Passkeys are a Digital Shenanigan

Show Notes

Today, we unpack the massive October 2025 Patch Tuesday, covering exploited Windows zero-days, critical vulnerabilities in Adobe Connect and major ICS vendors like Red Lion, Siemens, and Rockwell. Plus, a deep dive into why enterprise organizations must ditch synced passkeys for device-bound credentials to prevent sophisticated authentication downgrade attacks.

Transcript

Welcome back to Cyber Scoops & Digital Shenanigans. I’m your host, Mike Housch, and if you thought last month was busy, buckle up. We are diving deep into the massive vulnerability dump that was October 2025, which, frankly, looked less like Patch Tuesday and more like Patch Tsunami. We’ve got zero-days actively exploited in the wild, CVSS 10.0 flaws hitting critical infrastructure, and a crucial conversation about why your organization needs to immediately rethink its reliance on synced passkeys.

 

Segment 1: The October 2025 Patch Bonanza

Let’s start with the big players. Microsoft released patches for a staggering 173 unique CVEs in October 2025, plus fixes for another 21 non-Microsoft CVEs. Among these were five critical-severity bugs, but the real headline concerns the two flaws that were already actively exploited in the wild.

The first zero-day is CVE-2025-24990, an elevation of privilege vulnerability in the Windows Agere Modem Driver, tracked as ltmdm64.sys. This one is particularly nasty because security researchers noted that this legacy driver ships with every version of Windows, up to and including Server 2025, regardless of whether the associated hardware is even present. An attacker with minimal privileges could exploit this untrusted pointer dereference bug to gain administrative privileges. Microsoft’s planned fix? Removing the vulnerable driver entirely.

The second exploited flaw is CVE-2025-59230, an improper access control issue in the Windows Remote Access Connection Manager, or RasMan. Exploiting this bug could allow an attacker to gain SYSTEM privileges. This marks the first time a vulnerability in RasMan has been exploited as a zero-day. Both of these zero-days have been added to CISA's Known Exploited Vulnerabilities (KEV) list, urging federal agencies to patch them within three weeks.

But Microsoft wasn't alone. Adobe announced patches for over 35 vulnerabilities across its product portfolio. Critically, they addressed a major flaw in the Adobe Connect collaboration suite, tracked as CVE-2025-49553 (CVSS score of 9.3). This is described as a cross-site scripting (XSS) issue that could be exploited to execute arbitrary code, and the fix is available in Connect version 12.10. Adobe also raised the priority rating for their Commerce and Magento Open Source updates to '2' due to the historical elevated risk associated with those products, warning about a high-severity XSS issue that could lead to privilege escalation.

And if you’re running large enterprise business software, SAP also had a busy Patch Tuesday. They released 16 new and updated patch notes, including three fresh notes addressing critical-severity issues. Notably, they rolled out additional protections for the insecure deserialization flaw CVE-2025-42944 in NetWeaver AS Java, a bug with a perfect CVSS score of 10.0. Another critical flaw patched was a directory traversal bug in Print Service, CVE-2025-42937 (CVSS 9.8), which could allow unauthenticated attackers to overwrite system files. Although SAP isn't aware of exploitation in the wild, they strongly advise immediate patching, as threat actors are known to target SAP bugs.

 

Segment 2: Industrial Cyber Risks—The Critical Infrastructure Crisis

 Moving from standard enterprise software to the lifeblood of our infrastructure: Industrial Control Systems, or ICS. October 2025 Patch Tuesday included over 20 advisories from major ICS/OT vendors like Siemens, Schneider Electric, Rockwell Automation, ABB, and Phoenix Contact.

The findings are alarming.

Let’s talk about Red Lion. Researchers disclosed two critical security flaws, both rated a maximum CVSS score of 10.0, impacting Red Lion Sixnet remote terminal unit (RTU) products. These RTUs are fundamental components used in critical sectors like energy, water and wastewater treatment, transportation, utilities, and manufacturing.

The flaws—CVE-2023-42770 (an authentication bypass) and CVE-2023-40151 (a remote code execution vulnerability)—can be chained together. This means an unauthenticated attacker could bypass protections to execute commands with root privileges on the device. The consequence? Significant possibilities for process disruption or damage. If you use Red Lion SixTRAK or VersaTRAK RTUs, patching immediately is non-negotiable, and it’s also recommended to enable user authentication and block TCP access to the affected devices.

Siemens also released six new advisories, featuring two critical vulnerabilities. One critical flaw is in TeleControl Server Basic, allowing an unauthenticated, remote attacker to obtain user password hashes and perform unauthorized operations. The second critical bug impacts Simatic ET 200SP communication processors, allowing unauthenticated, remote access to configuration data.

And for Rockwell Automation, they published seven new advisories, including one advisory with an overall 'critical' severity rating. This addresses three flaws in the 1783-NATR configurable NAT router that could allow an attacker to cause a Denial of Service (DoS) condition, take control of admin accounts, and modify NAT rules.

The bottom line here: The stakes in ICS cybersecurity are immense, and these critical flaws are proof that threat actors are going after foundational operational technology.

 

Segment 3: Digital Shenanigans—The Passkey Problem

Now, let’s pivot to identity, a topic critical for CISOs and enterprise access. We need to talk about passkeys, specifically synced passkeys, which are credentials synced across devices through consumer cloud services like iCloud and Google Cloud.

While passkeys are often heralded as the future of authentication, the current reality presents a major security risk: synced passkeys are insecure for enterprise deployment.

Why? Because synced passkeys inherently shift the trust boundary. They inherit the risk profile of the consumer cloud accounts and recovery processes that protect them, which creates material enterprise exposure.

The attack surface expands in three key ways:

1. Cloud Account Takeover: If an attacker compromises a user's personal cloud account, they can authorize new devices, thus eroding the integrity of the credential.

2. Syncing Nightmare: If a user is logged into a corporate device using their personal cloud account, any corporate passkeys created could be synced to that personal account, exploding the attack surface outside of enterprise security boundaries.

3. Help Desk Hijinks: Attackers specifically target help desk and account recovery workflows because these teams can be social engineered to copy the protected keychain onto a new, untrusted device. Recovery is often the attacker's entry point.

We’re also seeing proof of concept for authentication downgrade attacks. Researchers documented a practical downgrade against systems like Microsoft Entra ID. Adversary-in-the-Middle (AiTM) kits can spoof an unsupported browser, causing the identity provider to disable strong authentication like WebAuthn and guide the user toward weaker methods, such as SMS or OTP.

This is the punchline: Your weakest authentication method defines your real security. If a weak fallback exists—like TOTP, SMS, or email links—an attacker will force it.

Beyond downgrades, researchers showed that a compromised browser environment, often through a malicious extension or an XSS bug, can hijack WebAuthn calls and manipulate passkey sign-in or force a password fallback. Extensions, especially those with powerful permissions like webAuthenticationProxy, can sit right in the WebAuthn path.

The consensus among experts and advisory bodies like the FIDO Alliance is clear for enterprise environments: Device-bound credentials are the only effective enterprise solution.

Device-bound passkeys are tied to a specific device, using private key generation rooted in secure hardware, like hardware security keys. This provides consistent device signals, attestation, and a lifecycle that IT can inventory and revoke.

 

For Ciso's building a passkey program, the guidance is strict:

 

Require device-bound authenticators that generate non-exportable, hardware-backed credentials.

 

Eliminate all fallback methods like SMS, TOTP apps, and email links. Make the strong path the only path.

 

Enforce extension allowlists in managed browsers and continuously monitor for suspicious activity.

 

Bind user sessions to a trusted device context; a session cookie should never be a portable artifact.

 

And finally, enforce continuous authentication that ties identity to device posture throughout the session.

 

If you don't control what created the credential, you don't control access. Synced passkeys are great for consumers, but they are not an acceptable force field for enterprise defense.

 

Wrap Up

 So, to recap the massive security news of mid-October 2025: We’ve seen critical flaws across the board. Microsoft dealing with zero-days, Adobe patching critical code execution risks, SAP hardening 10.0-rated flaws, and Red Lion exposing critical infrastructure to root-level compromise.

The actions for security teams are clear: Patch those Windows systems immediately, pay special attention to your ICS assets, and critically, if you are relying on synced passkeys, that security model is fundamentally flawed and needs replacement with device-bound credentials and continuous trust enforcement.

 

That’s all the time we have for today's edition of Cyber Scoops & Digital Shenanigans. Stay safe out there, apply those patches, and think device-bound!