October 2025: The Critical Shift from Synced Passkeys to Device-Bound Trust

Patching Priorities: Zero-Days and CVSS 10.0

October 15, 2025, marked a major security event, requiring immediate action on several fronts:

1. Exploited Microsoft Zero-Days: Microsoft patched 173 unique CVEs, including two flaws already being actively exploited. These include an Elevation of Privilege (EoP) flaw in the legacy Windows Agere Modem Driver (CVE-2025-24990) and another EoP in the Windows Remote Access Connection Manager (CVE-2025-59230). The Agere Modem Driver is particularly concerning as the vulnerable code ships with every version of Windows, up to and including Server 2025, exposing nearly all systems to local privilege escalation. CISA has added both to its KEV list, underscoring the urgency for federal—and all—agencies to patch.
2. Critical Industrial Control Threats: Threat actors consistently target Industrial Control Systems (ICS). This month, researchers disclosed two vulnerabilities in Red Lion Sixnet RTU products (CVE-2023-40151 and CVE-2023-42770), both rated CVSS 10.0. Chaining these flaws allows an unauthenticated attacker to execute commands with root privileges on devices used in critical infrastructure sectors like energy and water treatment. Furthermore, Siemens patched two critical flaws in products like TeleControl Server Basic and Simatic ET 200SP, while Rockwell Automation addressed a critical advisory for the 1783-NATR configurable NAT router. These vulnerabilities present significant possibilities for process disruption or damage.
3. Critical Enterprise Application Risks: Adobe patched a critical Cross-Site Scripting (XSS) vulnerability (CVE-2025-49553) in the Adobe Connect collaboration suite (CVSS 9.3). SAP also issued patches for three critical-severity issues, including hardening recommendations for the previously identified CVSS 10.0 insecure deserialization flaw in NetWeaver AS Java (CVE-2025-42944).

The Mandate: Abandon Synced Passkeys for Enterprise Access

While patching remains vital, CISOs must concurrently address systemic vulnerabilities in modern identity management. Synced passkeys—which are credentials synced through consumer cloud services like Google Cloud or iCloud—are a major liability for enterprise access.

Synced Passkeys Erode Enterprise Security Boundaries

The core issue is the shifting trust boundary. Synced passkeys inherit the weaknesses of the cloud accounts and recovery workflows that protect them. This expands the attack surface in highly predictable ways:

• Cloud Account Risk: Compromise of a user's personal cloud account, or abuse of its recovery process, can authorize new, untrusted devices to access synchronized credentials.
• The Help Desk Vector: Help desk and account recovery are often the easiest control points for attackers, who can social engineer staff to copy the protected keychain onto a device they control.
• Downgrade Attacks: Adversary-in-the-Middle (AiTM) kits can exploit the identity provider's practical desire for a smooth user experience (UX) over strict security. By spoofing an unsupported browser, attackers can force a fallback from phishing-resistant WebAuthn to weaker authentication methods like SMS or OTP. The security posture of your organization is ultimately defined by its weakest authentication method.

Policy Guidance for Higher Assurance

For organizations evaluating passkey adoption, the immediate transition must be toward device-bound passkeys. These are mandatory for enterprise access use cases and offer higher assurance because the credentials are non-exportable and rooted in secure hardware components.

To achieve enterprise-grade security, CISOs must implement policies that:

1. Require Phishing-Resistant Authentication: Accept only device-bound authenticators that generate non-exportable credentials tied verifiably to the physical device attempting the login.
2. Eliminate All Fallbacks: Remove weak fallback methods such as SMS, TOTP apps, and email links. If a fallback exists, attackers will force it—make the strong path the only path.
3. Enforce Browser and Extension Posture: Strictly enforce extension allowlists in managed browsers. Disallow any extension that requests permissions like webAuthenticationProxy, which can intercept and manipulate WebAuthn calls.
4. Bind and Continuously Monitor Sessions: Session cookies should never be portable artifacts. Enforce continuous authentication that requires reauthentication or denies access if the device posture, location, or security status changes during the session.