A Common Vulnerability Exposure (CVE) that cannot reach the privilege plane is operationally ineffective - even at a CVSS Score of 10. This should be a core philosophy that is embedded into the fabric of software engineering.
Each month, the team at Readiness analyzes the latest Patch Tuesday updates from Microsoft and provides detailed, actionable testing guidance. The company's Patch Tuesday release for February addresses 59 CVEs across the company's product family - roughly half the volume of January's 159 patches. Six vulnerabilities, affecting Windows Shell, MSHTML, Desktop Window Manager, Remote Desktop, Remote Access, and Microsoft Word, are already being actively exploited.
In addition to already-reported flaws, newly discovered bugs allow attackers to hang vulnerable servers and potentially leak Server Function source code, so anyone using RSC or frameworks that support it should patch quickly. The latest vulnerabilities - two high-severity denial-of-service bugs tracked as CVE-2025-55184 and CVE-2025-67779 (CVSS 7.5), and a source-code exposure flaw tracked as CVE-2025-55183 (CVSS 5.3) - were found by security researchers attempting to poke holes in the patch for the earlier maximum-severity React flaw that is under active exploitation.
His analysis cites academic research published in August as part of the USENIX Security Symposium. The paper, "Confusing Value with Enumeration: Studying the Use of CVEs in Academia," (Moritz Schloegel et al.), reports that 34 percent of 1,803 CVEs cited in research papers over the past five years either have not been publicly confirmed or have been disputed by maintainers of the supposedly vulnerable software projects. The authors argue that CVEs should not be taken as a proxy for the real-world impact of claimed vulnerabilities.
Spooky season is in full swing, and this extends to Microsoft's October Patch Tuesday with security updates for a frightful 175 Microsoft vulnerabilities, plus an additional 21 non-Microsoft CVEs. And even scarier than the sheer number of bugs: three are listed as under attack, with three others publicly known, and 17 deemed critical security holes. Let's start with the flaws that attackers already found and exploited before Redmond pushed patches.
iOS 26 and iPadOS 26 were released for the latest generation iPhone and iPad devices with fixes for 27 unique CVEs that could lead to memory corruption, information disclosure, crashes, and sandbox escapes. WebKit received the largest number of fixes, at five, for security defects that could lead to process crashes, Safari crashes, or could allow websites to access sensor information without consent.
The vulnerabilities include CVE-2025-21479 (CVSS score: 8.6) and CVE-2025-27038 (CVSS score: 7.5), both of which were disclosed alongside CVE-2025-21480 (CVSS score: 8.6) by the chipmaker back in June 2025.
