Microsoft Alarms Over Two Zero-Day Vulnerabilities in Agere Modem Driver
Microsoft has unveiled the presence of two significant zero-day vulnerabilities within the Agere Modem driver, which is integrated into Windows operating systems. These flaws, identified as CVE-2025-24990 and CVE-2025-24052, have been confirmed to be under active exploitation, permitting attackers to elevate their privileges to administrator levels.
The vulnerabilities affect the ltmdm64.sys driver. Although these issues were addressed in the cumulative update issued in October 2025, Microsoft has cautioned that the affected fax modem hardware will become non-functional following this update.
Examination of Vulnerabilities in Legacy Drivers
The Agere Modem driver, a third-party software component shipped directly with Windows, has become a persistent, albeit dormant, security risk. Specifically, CVE-2025-24990 emerges from an untrusted pointer dereference (CWE-822) issue, allowing attackers to manipulate memory and evade established security protocols.
This vulnerability has received a CVSS 3.1 score of 7.8, necessitating only local access and minimal privileges while posing substantial risks to confidentiality, integrity, and availability.
Detected through collaborative efforts between Microsoft’s threat intelligence team (MSTIC) and external researchers, including r-tec IT Security, exploitation of this flaw has been observed in live environments.
The second concern, CVE-2025-24052, pertains to a stack-based buffer overflow (CWE-121), also scoring 7.8 on the CVSS scale. Although it has been publicly disclosed with available proof-of-concept code, there have been no recorded active attacks utilizing this particular vulnerability as of yet.
Importantly, these vulnerabilities exist independently of active modem usage, affecting all supported Windows versions from Windows 10 onwards. Attackers can elevate their privileges through simple local exploits without needing direct interaction with the hardware.
| CVE ID | Description | CVSS Score | Exploit Status | Weakness |
|---|---|---|---|---|
| CVE-2025-24990 | Untrusted Pointer Dereference in ltmdm64.sys | 7.8 (Important) | Actively Exploited (Functional PoC) | CWE-822 |
| CVE-2025-24052 | Stack-based Buffer Overflow in ltmdm64.sys | 7.8 (Important) | Proof-of-Concept Available | CWE-121 |
While detailed indicators of compromise (IoCs) have not been explicitly provided, Microsoft encourages users to conduct a thorough check for the presence of ltmdm64.sys.
These zero-day vulnerabilities underscore the inherent perils associated with legacy drivers in contemporary digital environments.
An attacker who secures an initial foothold—potentially through phishing or malware—could exploit the vulnerable driver and execute malicious code, masquerading as an administrator.
In corporate settings, such exploitation could escalate into domain control, unauthorized data access, or even the deployment of ransomware.
Fabian Mosch from r-tec elucidated that these exploits often target driver loading during the system’s boot phase or through service calls, thereby circumventing user-mode defenses.
The proof-of-concept for CVE-2025-24990 entails crafting malformed inputs directed at the driver’s IOCTL handler, which consequently triggers the dereferencing of a controlled pointer.
In the instance of CVE-2025-24052, overflow exploits result in stack corruption through oversized buffers in modem emulation routines, with researchers demonstrating the ability to elevate privileges from standard user to SYSTEM level without inducing system crashes.
Microsoft’s Strategic Response and User Recommendations
In its October Patch Tuesday release, Microsoft chose to entirely eliminate ltmdm64.sys, thereby rendering the Agere modems dependent on this driver obsolete.
Users reliant on fax hardware must now seek alternative solutions, as there is no provision for backward compatibility.
The company strongly urges users to apply updates promptly and conduct audits for the driver utilizing tools such as Autoruns.
For those with unpatched systems, it is advisable to disable the driver via Device Manager or implement group policy restrictions.
This incident serves as a stark reminder of the importance of phasing out outdated components within software ecosystems.
Cybersecurity experts advocate for the establishment of endpoint detection rules to monitor anomalous driver loads, alongside regular vulnerability assessments.
As the threat landscape evolves, organizations must prioritize these patches to mitigate the risks associated with privilege escalation.
Source link: Cybersecuritynews.com.
