Bulletin — October 2025

October 2025 closes the Windows 10 decade with a record Patch Tuesday and starts the next day with two major incidents: F5 acknowledges a prolonged nation-state compromise with theft of BIG-IP source code and unpublished CVEs, and one day later CVE-2025-59287 against WSUS becomes wormable under mass exploitation. Five long notes and the rest of the month.

Windows 10 end-of-support — 14 October

14 October. Microsoft serves the last free Patch Tuesday for Windows 10 22H2 in all its commercial editions (Home, Pro, Pro Workstations, Pro Education, Enterprise, Education, Enterprise multi-session). LTSCs continue on their own calendar: LTSC 2021 until January 2027, IoT LTSC 2021 until January 2032. For the rest, ESU is the only path with patches: $30 single-payment consumer (free in EEA after Euroconsumers / Digital Markets Act pressure, September 2025), $61 per device year 1 enterprise doubling each year up to $244 in year 3.

As of 30 September, StatCounter put Windows 10’s share on desktops at around 40-42% worldwide — parity with Windows 11 hovering around 50%. The fraction not migrating is the one with incompatible hardware (Lansweeper estimated ~50% of the corporate fleet without Windows 11 requirements) or legacy software blocking the transition. We cover operational detail, ESU pricing and comparison with Windows XP/7 EOL in the dedicated technical post.

The historical pattern looks more like Windows 7 (silent drip 2020-2023, no WannaCry-style media event) than Windows XP (three-year catastrophe). But absolute risk rises and any new critical CVE in SMB, RPC, Print Spooler or LPE leaves the installed base not on ESU without a public patch.

Sources: https://support.microsoft.com/en-us/windows/windows-10-support-has-ended-on-october-14-2025-2ca8b313-1946-43d3-b55c-2b95b107f281 · https://learn.microsoft.com/en-us/lifecycle/announcements/october-14-2025-products-end-of-support

F5 BIG-IP — nation-state, source code and unpublished CVEs

15 October. F5 files an 8-K with the SEC acknowledging a prolonged compromise of its corporate network by a nation-state. What was stolen: BIG-IP product source code + information on unpublished, unpatched vulnerabilities. F5 detected the access on 9 August 2025 and delayed disclosure at the Department of Justice’s request for two months. Public attribution points to UNC5221 (China-nexus) with BRICKSTORM malware; the attacker maintained ~12 months of persistence in the development environment and engineering knowledge management platform.

The same day F5 publishes K000156572, a bundle of 44 CVEs including the set of vulns allegedly known to the attacker. CISA issues Emergency Directive ED 26-01 forcing FCEB agencies to inventory BIG-IP, verify internet-exposed management interfaces, and apply updates before 22 October.

What this teaches operationally: the threat model has to assume the attacker with two months of head start on the disclosure has already swept the installed base accessible via management interfaces. Any BIG-IP with TMUI/SSH exposed to internet between August and October must be treated as potentially compromised, which implies not only patching but also hunting for persistence (new local accounts, iControl REST modifications, anomalous certificates). The pattern approaches Ivanti Connect Secure in January 2024 and Citrix Bleed NetScaler in October 2023 — exposed edge appliance, compromised vendor, several months between vector and disclosure.

Sources: https://my.f5.com/manage/s/article/K000154696 · https://www.cisa.gov/news-events/directives/ed-26-01 · https://unit42.paloaltonetworks.com/nation-state-threat-actor-steals-f5-source-code/

Patch Tuesday October — 175 fixes, three zero-days, one wormable WSUS

14 October — and the 23rd’s out-of-band. Microsoft closes the year’s largest Patch Tuesday with 175 vulnerabilities patched in the regular cycle plus the highest absolute since we’ve been counting. Three zero-days under active exploitation at release time:

• CVE-2025-24990 — Agere Modem Driver (ltmdm64.sys). LPE to SYSTEM. CVSS 7.8. Microsoft removes the driver from the cumulative update — recent first case where the response is to retire the binary, not patch it. The driver, inheritance from fax modem times, lived natively on every Windows build. Public PoC shortly after; exploitation observed even before.
• CVE-2025-59230 — Windows Remote Access Connection Manager (RasMan). LPE to SYSTEM. CVSS 7.8. First RasMan CVE exploited as zero-day. Vector: race condition in RPC endpoint registration that privileged services trust — an unprivileged user registers the endpoint before the legitimate service and captures connections.
• CVE-2025-47827 — IGEL OS Secure Boot bypass. Allows booting unsigned binaries skipping the chain of trust on IGEL thin clients.

In addition, CVE-2025-59287 in Windows Server Update Service (WSUS) shipped in the regular cycle with a patch that didn’t fully mitigate. Public PoC on 17 October, active exploitation observed by Huntress since 23 October 23:34 UTC against WSUS exposed on ports 8530/8531/TCP. Vector: unsafe deserialization in reporting web services + pre-auth RCE as SYSTEM. Wormable between WSUS servers. Microsoft publishes an out-of-band patch on the 23rd. CISA puts the CVE in KEV on the 24th. For organisations with internal WSUS but accessible from the whole corporate network, the risk is instant lateral movement from any compromised endpoint to control of update distribution.

Other relevant from the cycle: CVE-2025-59227 and CVE-2025-59234 (Office RCE via Preview Pane without opening the file) and a considerable set of SQL Server, Azure and Graphics Component already part of the usual landscape.

Sources: https://www.bleepingcomputer.com/news/microsoft/microsoft-october-2025-patch-tuesday-fixes-6-zero-days-172-flaws/ · https://www.cisa.gov/news-events/alerts/2025/10/24/microsoft-releases-out-band-security-update-mitigate-windows-server-update-service-vulnerability-cve · https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability

AWS US-East-1 — 15 hours of DNS race condition

19-20 October. Amazon Web Services suffers the largest US-East-1 outage since December 2021. 15 hours of severe degradation, ~70 services affected, downstream ranging from Netflix, Coinbase, Slack and Atlassian to Snapchat, Roblox, Hinge, Ring and airlines with critical systems in the region.

Root cause per AWS postmortem: race condition in DynamoDB’s automatic DNS management. The internal management system maintains two parallel routes (Enactor and DNS Planner) writing updates to Route53. A slow Enactor overwrites the latest plan with an obsolete plan; the result is that DynamoDB ends up with inconsistent DNS records during the event. When DynamoDB is restored, EC2’s management system enters congestive collapse trying to recover thousands of leases simultaneously, which extends the outage hours beyond the original fault.

Operational reading: the outage wasn’t a service bug, it was a control plane bug for a service many others depend on. The geographic concentration of critical load in US-East-1 remains the most common pattern despite a decade of “multi-region” as an architecture mantra. The question for 2026 is the same as 2021, 2017 and 2015: what fraction of your load survives US-East-1 down for fifteen hours and what fraction gives up? The postmortem doesn’t include major operational news for customers — AWS’s recommendations are the usual ones (multi-AZ, multi-region for critical workloads, tested failover plans).

Sources: https://www.thousandeyes.com/blog/aws-outage-analysis-october-20-2025

Anthropic — Claude Sonnet 4.5 + Haiku 4.5, Q4 wave confirmed

29 September + 15 October. Anthropic confirms its Q4 cadence with two releases:

• 29 September — Claude Sonnet 4.5. Improvements in coding and agentic tasks. Anthropic positions it as “best coding model in the world” and “strongest model for building complex agents”. System card published the same day with safety metrics.
• 15 October — Claude Haiku 4.5. Small model with coding close to Sonnet 4 at one-third the cost and over twice the speed. SWE-bench Verified 73.3%. Better than Sonnet 4 at computer use, which makes it the default candidate for Claude for Chrome and many-step agent deployments. Pricing $1 / $5 per million tokens (input/output). Anthropic sets it as the default model in free Claude.ai.

For AI security, the operational reading is the same as with Sonnet 3.7 a year ago: each new release brings a system card with red-teaming methodology, Anthropic Responsible Scaling Policy ratings and published jailbreak resistance metrics. What changes versus 2024 is that there’s now a public corpus of published jailbreaks against each release (Pliny X, Embrace The Red, AI Village papers) — the safety classifier ceiling is measured against that corpus within hours of release. Sonnet 4.5 and Haiku 4.5 comply with the release Friday, first public jailbreak Saturday cadence.

Sources: https://www.anthropic.com/news/claude-sonnet-4-5 · https://www.anthropic.com/news/claude-haiku-4-5

Rest of the month

• Oracle E-Business Suite CVE-2025-61882 / Cl0p mass-exploitation (patch 4 Oct, KEV 6 Oct). Pre-auth RCE in EBS 12.2.3-12.2.14, CVSS 9.8. Vector exploited as zero-day since 9 August according to Mandiant/Google Cloud Threat Intelligence. Cl0p launches an email extortion campaign from 29 September: executives receive demands from hundreds of compromised accounts (infostealer logs credentials) alleging Oracle EBS data exfil. Public PoC on Telegram shortly after — copycat exploitation by other groups in the following days. Cl0p continues its historical pattern: MFT in 2023 (GoAnywhere, MOVEit), MFT in 2024 (Cleo), ERP in 2025.
• ENISA Threat Landscape 2025 — 1 October. Final publication of the annual report. Covers the July-2024 to June-2025 period. Hostile state actors and ransomware as dominant categories; AI-related threats with a dedicated section for the first time with analysis of production incidents.
• CISA + 14 partners — joint advisory Salt Typhoon (AA25-239A) published on 27 August consolidates the China-nexus activity against telcos, government, transport, hospitality and military at the global level. The advisory is referenced through October as a hardening guidance base — the executive summary is that Salt Typhoon is no longer a 2024 incident but a sustained pattern against telco backbone routers (provider edge and customer edge) with limited visibility.
• Cisco ASA / Firepower CVE-2025-20333 + CVE-2025-20362 + CVE-2025-20363 (end-of-September patches, early-October KEV). The ArcaneDoor China-nexus campaign against the ASA/FTD VPN web server continues. The novelty is the ROM persistence — the actor modifies firmware to survive reboots and updates. Devices 5512/5515/5585 already discontinued; 5525/5545/5555 retired in September. CISA Emergency Directive ED 25-03 with an aggressive deadline for FCEB.
• DeepSeek-V3.2-Exp published on 29 September with DeepSeek Sparse Attention (DSA) significantly reducing long-context cost. Maintains the open-weights pattern of the DeepSeek family; first economical test of the year against >128k context.
• DragonForce / Akira maintain ransomware tempo during October. Without a single media incident, the drip continues.

Pattern of the month

Three blocks cross in October and they should be read together. The Windows 10 EOL opens a legacy decade that will set the pace for vulnerability management response during 2026-2028. The F5 breach confirms that the threat model against security vendors is mature: Ivanti 2024, Snowflake 2024, BeyondTrust 2024, now F5 2025, the exploitation chain goes via provider, not via client. And the record Patch Tuesday with three zero-days + wormable WSUS forces applying fixes in the same cycle many teams were already delaying — the second quarter accumulated patches not applied for fear of regressions and October arrives with the board saturated.

For November three things can be anticipated: the first Patch Tuesday without Windows 10 in the affected platforms list (15 November), follow-up on the 44 F5 CVEs with public exploitation post-disclosure, and the post-EOL degradation curve — what fraction of the estate stays in ESU, what fraction stays out, and what first public incident appears against the second group.