Analysis Summary

Microsoft has disclosed two critical zero-day vulnerabilities in the Agere Modem driver (ltmdm64.sys) affecting all supported Windows versions from Windows 10 onward. Tracked as CVE-2025-24990 and CVE-2025-24052, both flaws allow attackers with local access to escalate privileges to full administrator rights. CVE-2025-24990 stems from an untrusted pointer dereference (CWE-822), actively exploited in the wild, while CVE-2025-24052 is a stack-based buffer overflow (CWE-121) with proof-of-concept code publicly available. These vulnerabilities are particularly concerning because they persist even if the modem hardware is not actively used, meaning attackers do not need to interact with physical devices to exploit the flaws.

The vulnerabilities highlight the risks of legacy drivers in modern Windows ecosystems. CVE-2025-24990 allows attackers to manipulate memory via the driver’s IOCTL handler, bypassing security boundaries, while CVE-2025-24052 exploits oversized buffers in modem emulation routines to corrupt the stack. Both issues carry a CVSS 3.1 score of 7.8, reflecting high impacts on confidentiality, integrity, and availability. Exploits demonstrated by researchers, including those from r-tec IT Security and MSTIC, show privilege jumps from standard user accounts to SYSTEM level without system crashes, emphasizing the potency of these attacks.

In response, Microsoft’s October 2025 Patch Tuesday release removed the ltmdm64.sys driver entirely, rendering affected Agere modem hardware obsolete. Organizations relying on such fax hardware must seek alternatives, as no backward compatibility exists. Microsoft strongly advises immediate patching, auditing systems for the driver’s presence using tools like Autoruns, or disabling the driver through Device Manager or group policy. The disclosures underscore the need for enterprises to phase out outdated components and monitor driver loads closely to prevent privilege escalation.

From a broader cybersecurity perspective, these zero-days demonstrate how legacy components can serve as a gateway for severe attacks. An attacker gaining an initial foothold through phishing or malware could leverage the vulnerable driver to execute code with administrative privileges, potentially escalating to domain control, data exfiltration, or ransomware deployment. Security experts recommend deploying endpoint detection rules for anomalous driver behavior and conducting regular vulnerability scans to mitigate risks. Prompt remediation is critical, given the active exploitation of at least one of these flaws.

Impact

• Privilege Escalation
• Gain Access

Indicators of Compromise

CVE

• CVE-2025-24990

• CVE-2025-24052

Affected Vendors

• Microsoft

Remediation

• Immediately apply the October 2025 Patch Tuesday update to remove the vulnerable ltmdm64.sys driver.
• Audit systems for the presence of ltmdm64.sys using tools like Autoruns or similar endpoint inventory solutions.
• For unpatched systems, disable the driver via Device Manager or Group Policy to prevent exploitation.
• Replace or phase out affected fax modem hardware, as it is now obsolete and no longer supported by Windows updates.
• Implement endpoint detection rules to monitor for anomalous driver loads or unauthorized privilege escalation attempts.
• Conduct regular vulnerability scans to identify and remediate legacy components across the enterprise.
• Educate users and staff on safe practices to avoid initial footholds via phishing or malware that could trigger driver exploits.