Microsoft has disclosed two crucial zero-day vulnerabilities within the Agere Modem driver bundled with Home windows working programs, confirming lively exploitation to escalate privileges.
The issues, tracked as CVE-2025-24990 and CVE-2025-24052, have an effect on the ltmdm64.sys driver and will permit low-privileged attackers to achieve full administrator entry.
These points have been patched within the October 2025 cumulative replace, however Microsoft warns that affected fax modem {hardware} will stop functioning post-update.
Vulnerabilities Uncovered In Legacy Driver
The Agere Modem driver, a third-party element shipped natively in Home windows, has lengthy been a dormant threat.
CVE-2025-24990 stems from an untrusted pointer dereference (CWE-822), enabling attackers to control reminiscence and bypass safety boundaries.
With a CVSS 3.1 rating of seven.8, it requires solely native entry and low privileges, but yields excessive impacts on confidentiality, integrity, and availability.
Microsoft’s menace intelligence crew, MSTIC, together with researchers from r-tec IT Safety and an nameless contributor, recognized exploitation within the wild.
The second flaw, CVE-2025-24052, includes a stack-based buffer overflow (CWE-121), scoring 7.8 on CVSS. Publicly disclosed with proof-of-concept code out there, it poses the same menace however has not but been noticed in lively assaults.
Each vulnerabilities persist even with out lively modem use, affecting all supported Home windows variations from Home windows 10 onward. Attackers needn’t work together with {hardware}; a easy native exploit suffices to raise rights.
CVE IDDescriptionCVSS ScoreExploit StatusWeaknessCVE-2025-24990Untrusted Pointer Dereference in ltmdm64.sys7.8 (Essential)Actively Exploited (Purposeful PoC)CWE-822CVE-2025-24052Stack-based Buffer Overflow in ltmdm64.sys7.8 (Essential)Proof-of-Idea AvailableCWE-121
No indicators of compromise (IoCs) have been detailed in disclosures, however Microsoft urges scanning for ltmdm64.sys presence.
These zero-days spotlight the risks of legacy drivers in trendy ecosystems. An attacker with an preliminary foothold, maybe by way of phishing or malware, might load the weak driver and execute code to impersonate admins.
In enterprise settings, this escalates to area management, knowledge exfiltration, or ransomware deployment. Fabian Mosch from r-tec famous that exploits goal driver loading throughout system boot or service calls, evading user-mode defenses.
The proof-of-concept for CVE-2025-24990 includes crafting malformed enter to the driving force’s IOCTL handler, which triggers the dereference of a managed pointer.
For CVE-2025-24052, overflow exploits stack corruption by way of outsized buffers in modem emulation routines. Researchers demonstrated privilege jumps from customary person to SYSTEM stage with out crashes.
Microsoft’s Response And Consumer Steering
Within the October Patch Tuesday launch, Microsoft eliminated ltmdm64.sys completely, rendering dependent Agere modems out of date. Customers reliant on fax {hardware} should search options, as no backward compatibility exists.
The corporate advises speedy patching and auditing for the driving force by way of instruments like Autoruns. For unpatched programs, disable the driving force by Machine Supervisor or group coverage.
This incident underscores the necessity to part out outdated parts. Cybersecurity specialists advocate endpoint detection guidelines for anomalous driver masses and common vulnerability scans.
As exploitation continues, organizations ought to prioritize these fixes to thwart privilege escalation chains.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
