Cybersecurity
A recently identified zero-day vulnerability in the Windows Agere Modem driver has been actively exploited, enabling threat actors to elevate privileges on affected systems.
Identified as CVE-2025-24052 and CVE-2025-24990, these vulnerabilities allow a low-privileged user to gain full system control without user interaction.
Microsoft’s October cumulative update removes the vulnerable ltmdm64.sys driver. However, organizations using fax modem hardware dependent on this component may face potential service disruptions.
Details of the Vulnerabilities
The vulnerability CVE-2025-24052 is a stack-based buffer overflow in the Agere Modem driver. This flaw allows an attacker with low privileges to execute arbitrary code in kernel context, impacting confidentiality, integrity, and availability.
Microsoft categorizes this vulnerability as Important with a CVSS v3.1 score of 7.8. Proof-of-concept exploit code has already been published, necessitating urgent patching.
Following this, researchers identified CVE-2025-24990, an untrusted pointer dereference in the same driver.
| CVE ID | Release Date | Impact | Max Severity | CVSS v3.1 Score |
| CVE-2025-24052 | Oct 14, 2025 | Elevation of Privilege | Important | 7.8 |
| CVE-2025-24990 | Oct 14, 2025 | Elevation of Privilege | Important | 7.8 |
This vulnerability similarly enables local privilege escalation, leveraging low user privileges and requiring no user interaction.
Microsoft also rates the severity as Important and assigns a CVSS v3.1 rating of 7.8. Although no public exploit was initially observed, the similarity to the first flaw raises the risk of rapid weaponization.
Impact on Affected Systems
Both vulnerabilities target the ltmdm64.sys component, which is included by default in supported Windows releases.
Fax modem hardware relying on this specific Agere driver will cease functioning once the driver is removed by the October cumulative update.
Organizations using fax solutions in regulated industries such as healthcare, finance, and legal services should evaluate their dependency on legacy modem hardware and consider alternative communication methods.
Microsoft’s executive summary emphasizes the removal of the outdated driver and urges administrators to remove any existing dependencies on fax modem hardware that cannot be updated.
As the proof-of-concept exploit for CVE-2025-24052 is publicly available, threat actors could integrate this code into broader attack chains, enabling data theft or ransomware deployment after gaining kernel-level access.
To mitigate both vulnerabilities, apply the October 2025 Windows cumulative update immediately. This update permanently removes the vulnerable ltmdm64.sys driver from all supported platforms.
For environments where replacing the hardware is not yet feasible, consider the following interim measures:
- Disable fax modem functionality through Group Policy or configuration management tools.
- Restrict local user privileges using AppLocker, Device Guard, or similar solutions to limit the ability to load or interact with the vulnerable driver.
- Monitor Windows Event Logs for unusual kernel-mode driver load attempts or process elevation events.
Transitioning away from unsupported modem hardware will ultimately eliminate the attack surface.
IT teams should audit existing inventories, prioritize systems with the Agere Modem driver installed, and plan migrations to supported communication solutions.
-
Bread Partners with Self‑Publishers to Offer Buy Now, Pay Later Solutions
In a strategic move to bolster financial flexibility and accessibility for writers, ... -
-
-
