CVE Alert: CVE-2025-24990 – Microsoft – Windows 11 Version 25H2
CVE-2025-24990
Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems. This is an announcement of the upcoming removal of ltmdm64.sys driver. The driver has been removed in the October cumulative update. Fax modem hardware dependent on this specific driver will no longer work on Windows. Microsoft recommends removing any existing dependencies on this hardware.
AI Summary Analysis
Risk verdict
Active exploitation is reported; this local privilege escalation vulnerability on Windows drivers warrants urgent remediation.
Why this matters
An attacker with limited local access can escalate to SYSTEM rights, enabling full control and potential data exposure or deployment of subsequent payloads. The affected surface spans multiple Windows client and server SKUs, including recent versions, increasing the chance of encountering at-risk hosts across organisations.
Most likely attack path
Exploitation relies on local access (no user interaction required) to trigger a kernel-mode vulnerability in the Agere modem driver. An attacker could leverage this to bypass normal permissions, enabling persistence and lateral movement via trusted components or services that interact with the driver. Given the driver’s role, exploitation is more feasible on endpoints with legacy fax/modem hardware or vendor-provided driver stacks still present.
Who is most exposed
Desktops, laptops and servers with installed Agere modem components and legacy fax hardware are most at risk, particularly on organisations with older imaging or update timelines and limited patching windows.
Detection ideas
- Kernel-mode driver load events for ltmdm64.sys outside normal maintenance windows.
- Unusual device-driver activity or failed I/O control calls targeting the modem subsystem.
- Surges in privilege-escalation attempts post-user login or during service startup.
- Anomalous process creation or service manipulation tied to modem-related components.
- Event log spikes around device installation/removal correlated with recent updates.
Mitigation and prioritisation
- Patch: apply the October cumulative update that removes the ltmdm64.sys driver; if unavailable, disable/uninstall the Agere modem component or remove fax/modem dependencies.
- Controls: restrict kernel-driver loading, enforce application and device installation policies, and strengthen endpoint MFA and least-privilege.
- Detection: enable kernel and device-driver monitoring; deploy targeted EDR rules for modem-driver activity.
- Change-management: inventory affected hardware, schedule patching in a controlled window, test hardware functionality post-removal.
- If KEV/EPSS indicators become available and are favorable, elevate to priority 1.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
