IT Trends Weekly — a curated, citation-first roundup for busy IT leaders.

After Patch Tuesday: How Teams Closed Risk This Week (and What To Prove Next)

Context. Last week’s October Patch Tuesday 2025 wave landed with 172 fixes and six zero-days (with multiple Critical items), and kicked off the first post–Windows 10 end-of-support cycle for many fleets.^[BC][R7] As the dust settled, CISA kept adding to the Known Exploited Vulnerabilities (KEV) catalog—reminding us that patching is a race against active abuse, not a paperwork exercise.^{[CISA-20][CISA-24]} This issue is a practical follow-up: what successful teams actually did in the last 7 days, how to show evidence, and where to focus next week.

Find more issues on the IT Trends Weekly hub or subscribe for updates.

Table of contents

• What happened last week (recap + new signals)
• Why it matters beyond “apply all updates”
• The first 48 hours: what effective teams executed
• Operational realities (so you don’t get paged at 2 a.m.)
• Evidence leaders want this week
• Week-2 priorities & lessons learned
• FAQ
• CTA: Stay ahead each week
• Sources & citations

What happened last week (recap + new signals)

Patch Tuesday recap. Microsoft shipped 172 vulnerabilities worth of fixes, including six zero-days and eight Critical bugs. Coverage spans Windows, server roles (including WSUS), and adjacent components. You’ll see different CVE totals depending on whether a vendor folds earlier Edge/Azure items into their count—a known variance this cycle.^{[BC][R7][Tenable]}

KEV kept moving. CISA added new entries to the Known Exploited Vulnerabilities catalog on Oct 20 and again on Oct 24. When a CVE lands in KEV, it’s being exploited—treat due dates as near-term and align internal SLAs with KEV windows.^{[CISA-20][CISA-24]}

Windows 10 lifecycle pressure. End-of-support is now real for non-LTSC Windows 10; many orgs switched on ESU while planning migrations. Microsoft’s ESU program and consumer enrollment details (including account requirements) dominated questions; knowing exactly who’s covered matters for risk reporting.^{[MS-ESU][WC-ESU][Edge-2028]}

Why it matters beyond “apply all updates”

• Attack chains, not CVE counts. EoP bugs convert a foothold into SYSTEM; server-side pre-auth risks widen blast radius. Prioritize the sequence: break chains (EoPs) → close public doors (pre-auth/RCE) → reinforce identity/firmware trust.
• Evidence talks. After a headline week, executives want proof you reduced risk, not just a ticket queue. Coverage %, exposure proof, and lifecycle posture are the language they understand.
• Lifecycle drift is new risk. ESU-eligible Windows 10 devices aren’t the same as “safe.” They’re a managed exception that must be segmented, tracked, and sunset with dates.^[MS-ESU]

The first 48 hours: what effective teams executed

• Wave 1 — Chain-breaking EoPs (all Windows). Deployed the cumulative update broadly to neutralize local privilege escalations—especially the pair linked to legacy modem components—while validating that driver removals didn’t break niche workflows (fax stacks in clinics/labs).^[R7]
• Wave 2 — Servers: WSUS risk. Patched WSUS wherever the role exists (including lab/satellite), verified admin surfaces weren’t internet-exposed, and tightened reverse-proxy auth/allowlists.
• Wave 3 — Identity plane. Updated Entra/AD Connect agents, audited privileged app registrations/workload identities, and double-checked break-glass procedures.
• Wave 4 — Firmware & trust. Coordinated UEFI revocation/TPM guidance with VDI/thin-client owners (attestation surprises are a classic “Monday morning” outage).
• Wave 5 — Browser/Office. Rolled Edge/Chromium updates and began retiring Office builds at lifecycle limits (to avoid a second reboot wave later).^[R7]

Operational realities (so you don’t get paged at 2 a.m.)

• Reboots & ring discipline. Stagger Domain Controllers, Always-On VPN/RADIUS, and terminal servers. One careless reboot batch can create an avoidable “cannot log in” flood.
• Thin clients & kiosks. Secure Boot/TPM changes can trip attestation. Test representative kiosks with real users before fleet-wide rollout.
• Windows 10 stragglers. ESU ≠ “normal.” Treat ESU devices as an exception class with segmentation/NAC and a named decommission date.^[MS-ESU]

Evidence leaders want this week

• Coverage: % of endpoints on October CU within 72h and servers within 96h.
• Exploit-class blockers: EDR detections for token theft, LSASS access, and UAC bypass (post-EoP behaviors).
• WSUS exposure proof: Screenshots/exports showing admin surfaces are not internet-exposed; reverse-proxy auth/allowlists in place.
• Lifecycle posture: Count of Windows 10 devices with ESU enabled; migration dates; % on Windows 11 by ring.^[WC-ESU]
• KEV alignment: For any CVE added to KEV this week, note due dates and whether your patch SLO meets or beats KEV timelines.^{[CISA-20][CISA-24]}

Week-2 priorities & lessons learned

1) Close the long tail without burning goodwill. Remote/off-VPN endpoints and lab servers are the usual laggards. Use a “hotel-Wi-Fi” VPN enforcement rule (force VPN before Internet) during catch-up windows and give teams an easy one-click defer for approved exceptions. Publish a list of devices still stuck and the blocker reason, not just the hostname.

2) Normalize WSUS hygiene. This cycle reiterated that WSUS itself can be a risk tier. Standardize: admin surface never internet-exposed; reverse-proxy auth + IP allowlists; approvals limited; and a signed note that confirms who can push what to whom. Store a monthly WSUS “exposure proof” artifact alongside your patch coverage report.

3) Treat ESU like a product with an end date. If ESU is on, it should come with segmentation, reduced local admin, an MDM tag, and a migration clock. Communicate consumer/Edge realities: Edge updates continue on Windows 10 for years, but OS security posture still degrades without ESU.^{[Edge-2028][WC-ESU]}

4) Report using language the business gets. Replace “we patched 85%” with: “we removed attacker pathways by breaking EoP chains on 85% of endpoints, closed WSUS exposure, and enrolled 100% of remaining Windows 10 devices in ESU pending migration by Q2.” Tie this to KEV entries updated this week so boards see you racing the right clock.^{[CISA-20][CISA-24]}

5) Disagreement on CVE counts is normal—your priorities aren’t. Vendor tallies varied (e.g., some cite 172, some 167) depending on what’s included (Chromium, cloud advisories, earlier bulletins). That debate doesn’t change your first three moves: chain-breaking EoPs, WSUS hardening, identity/firmware trust.^{[BC][R7][Tenable]}

FAQ

Sources & citations

1. BleepingComputer — Microsoft October 2025 Patch Tuesday fixes 6 zero-days, 172 flaws. :contentReference[oaicite:0]{index=0}
2. Rapid7 — Patch Tuesday: October 2025 (analysis, EoPs, Win10 lifecycle/ESU nuance). :contentReference[oaicite:1]{index=1}
3. Tenable — October 2025 Patch Tuesday addresses 167 CVEs (count variance rationale). :contentReference[oaicite:2]{index=2}
4. CISA — Adds five KEV entries (Oct 20, 2025). :contentReference[oaicite:3]{index=3}
5. CISA — Adds two KEV entries (Oct 24, 2025). :contentReference[oaicite:4]{index=4}
6. Microsoft Learn — Windows 10 Extended Security Updates (ESU) program. :contentReference[oaicite:5]{index=5}
7. Windows Central — Windows 10 ESU FAQ (enrollment/coverage). :contentReference[oaicite:6]{index=6}
8. Windows Central — Microsoft Edge updates on Windows 10 until 2028. :contentReference[oaicite:7]{index=7}