A newly discovered zero-day vulnerability in the Windows Agere Modem driver has been actively exploited by threat actors to elevate privileges on affected systems.
Tracked as CVE-2025-24052 and CVE-2025-24990, these flaws allow a low-privileged user to gain full system control without any user interaction.
Microsoft has released an October cumulative update that removes the vulnerable ltmdm64.sys driver, but organisations relying on fax modem hardware dependent on this component face potential service disruptions.
Details of the Vulnerabilities
The first vulnerability, CVE-2025-24052, is a stack-based buffer overflow in the Agere Modem driver. An attacker with low privileges can exploit this flaw locally to execute arbitrary code in kernel context, resulting in high confidentiality, integrity, and availability impact.
Microsoft rates the severity as Important with a CVSS v3.1 score of 7.8. Proof-of-concept exploit code has already been published, increasing the urgency of patching.
Shortly after, researchers identified CVE-2025-24990, an untrusted pointer dereference in the same driver.
| CVE ID | Release Date | Impact | Max Severity | CVSS v3.1 Score |
| CVE-2025-24052 | Oct 14, 2025 | Elevation of Privilege | Important | 7.8 |
| CVE-2025-24990 | Oct 14, 2025 | Elevation of Privilege | Important | 7.8 |
This weakness similarly enables local privilege escalation, leverages low user privileges, and does not require user interaction.
Microsoft also scores the severity as Important and assigns a CVSS v3.1 rating of 7.8. Although no public exploit was initially observed, the similarity to the first flaw raises the risk of rapid weaponization.
Impact on Affected Systems
Both vulnerabilities target the ltmdm64.sys component, which is included by default in supported Windows releases.
Fax modem hardware that relies on this specific Agere driver will cease functioning once the driver is removed by the October cumulative update.
Organizations using fax solutions in regulated industries such as healthcare, finance, and legal services should assess their dependency on legacy modem hardware and consider alternative communication methods.
Microsoft’s executive summary emphasizes the removal of the outdated driver and urges administrators to remove any existing dependencies on fax modem hardware that cannot be updated.
Since the proof-of-concept exploit for CVE-2025-24052 is publicly available, threat actors could integrate this code into broader attack chains, enabling data theft or ransomware deployment after gaining kernel-level access.
To mitigate both vulnerabilities, apply the October 2025 Windows cumulative update immediately. This update permanently removes the vulnerable ltmdm64.sys driver from all supported platforms.
For environments where replacing the hardware is not yet feasible, consider the following interim measures:
- Disable fax modem functionality through Group Policy or configuration management tools.
- Restrict local user privileges using AppLocker, Device Guard, or similar solutions to limit the ability to load or interact with the vulnerable driver.
- Monitor Windows Event Logs for unusual kernel-mode driver load attempts or process elevation events.
Ultimately, transitioning away from unsupported modem hardware will eliminate the attack surface.
IT teams should audit existing inventories, prioritize systems with the Agere Modem driver installed, and plan migrations to supported communication solutions.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
