CVE Alert: CVE-2025-24052 – Microsoft – Windows 11 Version 25H2
CVE-2025-24052
Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems. This is an announcement of the upcoming removal of ltmdm64.sys driver. The driver has been removed in the October cumulative update. Fax modem hardware dependent on this specific driver will no longer work on Windows. Microsoft recommends removing any existing dependencies on this hardware.
AI Summary Analysis
Risk verdict
High risk: high-severity elevation of privilege with local access requirements and PoC exploit visibility; fix should be treated as a priority when available.
Why this matters
An attacker who already has local access could escalate to SYSTEM-like privileges, enabling full control of affected hosts, credential access, and potential lateral movement within the network. Enterprises with legacy Agere modem/fax modem deployments are particularly exposed, as the vulnerable driver is active on many Windows builds.
Most likely attack path
The exploit requires local access, low privileges, and no user interaction, with kernel/driver-level execution leading to complete compromise of the targeted host. The unchanged scope means the impact remains within the compromised device, though privilege escalation can enable broader persistence and system-wide damage.
Who is most exposed
End-user devices and servers running affected Windows versions that include the Agere modem driver, especially in organisations with older hardware or legacy modem configurations still in use.
Detection ideas
- Watch for attempts to load or unload the ltmdm64.sys driver or related Agere components.
- Detect privilege-escalation attempts without user interaction, including abnormal service creation or driver-install activity.
- Monitor for kernel-mode memory access patterns or unusual process trees following modem-driver events.
- Look for system updates that remove the legacy driver and any remnants or rollback attempts.
- EDR alerts on anomalous driver-related file access in the modem pathway.
Mitigation and prioritisation
- Apply the October cumulative Windows update that removes the ltmdm64.sys driver; confirm driver removal across devices.
- If patching is delayed, disable or uninstall the Agere modem/fax driver and disable related devices where feasible.
- Enforce least-privilege, restrict local account elevation, and strengthen kernel/user separation (HBSS/EDR rules, AppLocker, driver-signing checks).
- Validate patch compliance in asset inventories; document remediation timelines and test in pilot groups.
- If KEV true or EPSS ≥ 0.5, treat as priority 1; data on KEV/EPSS is not provided here.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
