Microsoft has disclosed two critical zero-day vulnerabilities in the Agere Modem driver bundled with Windows operating systems, confirming active exploitation to escalate privileges.
The flaws, tracked as CVE-2025-24990 and CVE-2025-24052, affect the ltmdm64.sys driver and could allow low-privileged attackers to gain full administrator access.
These issues were patched in the October 2025 cumulative update, but Microsoft warns that affected fax modem hardware will cease functioning post-update.
Vulnerabilities Exposed In Legacy Driver
The Agere Modem driver, a third-party component shipped natively in Windows, has long been a dormant risk.
CVE-2025-24990 stems from an untrusted pointer dereference (CWE-822), enabling attackers to manipulate memory and bypass security boundaries.
With a CVSS 3.1 score of 7.8, it requires only local access and low privileges, yet yields high impacts on confidentiality, integrity, and availability.
Microsoft’s threat intelligence team, MSTIC, along with researchers from r-tec IT Security and an anonymous contributor, identified exploitation in the wild.
The second flaw, CVE-2025-24052, involves a stack-based buffer overflow (CWE-121), scoring 7.8 on CVSS. Publicly disclosed with proof-of-concept code available, it poses a similar threat but has not yet been observed in active attacks.
Both vulnerabilities persist even without active modem use, affecting all supported Windows versions from Windows 10 onward. Attackers need not interact with hardware; a simple local exploit suffices to elevate rights.
| CVE ID | Description | CVSS Score | Exploit Status | Weakness |
|---|---|---|---|---|
| CVE-2025-24990 | Untrusted Pointer Dereference in ltmdm64.sys | 7.8 (Important) | Actively Exploited (Functional PoC) | CWE-822 |
| CVE-2025-24052 | Stack-based Buffer Overflow in ltmdm64.sys | 7.8 (Important) | Proof-of-Concept Available | CWE-121 |
No indicators of compromise (IoCs) were detailed in disclosures, but Microsoft urges scanning for ltmdm64.sys presence.
These zero-days highlight the dangers of legacy drivers in modern ecosystems. An attacker with an initial foothold, perhaps via phishing or malware, could load the vulnerable driver and execute code to impersonate admins.
In enterprise settings, this escalates to domain control, data exfiltration, or ransomware deployment. Fabian Mosch from r-tec noted that exploits target driver loading during system boot or service calls, evading user-mode defenses.
The proof-of-concept for CVE-2025-24990 involves crafting malformed input to the driver’s IOCTL handler, which triggers the dereference of a controlled pointer.
For CVE-2025-24052, overflow exploits stack corruption via oversized buffers in modem emulation routines. Researchers demonstrated privilege jumps from standard user to SYSTEM level without crashes.
Microsoft’s Response And User Guidance
In the October Patch Tuesday release, Microsoft removed ltmdm64.sys entirely, rendering dependent Agere modems obsolete. Users reliant on fax hardware must seek alternatives, as no backward compatibility exists.
The company advises immediate patching and auditing for the driver via tools like Autoruns. For unpatched systems, disable the driver through Device Manager or group policy.
This incident underscores the need to phase out outdated components. Cybersecurity experts recommend endpoint detection rules for anomalous driver loads and regular vulnerability scans.
As exploitation continues, organizations should prioritize these fixes to thwart privilege escalation chains.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
