Microsoft has recently disclosed two critical zero-day vulnerabilities within the Agere Modem driver, a component integrated into Windows operating systems. These vulnerabilities, identified as CVE-2025-24990 and CVE-2025-24052, have been actively exploited by attackers to escalate privileges, potentially granting them full administrative access to affected systems.
Understanding the Vulnerabilities
The Agere Modem driver, specifically the ltmdm64.sys file, has been a standard inclusion in Windows for years. Despite its legacy status, it has now become a focal point for security concerns.
– CVE-2025-24990: This vulnerability arises from an untrusted pointer dereference, classified under CWE-822. Attackers can exploit this flaw to manipulate memory, effectively bypassing established security boundaries. With a CVSS 3.1 score of 7.8, it poses a significant risk, especially considering that exploitation requires only local access and minimal privileges. The potential impact on confidentiality, integrity, and availability is substantial. Microsoft’s Threat Intelligence Center (MSTIC), in collaboration with researchers from r-tec IT Security and an anonymous contributor, has confirmed active exploitation of this vulnerability in real-world scenarios.
– CVE-2025-24052: This issue is rooted in a stack-based buffer overflow, categorized under CWE-121. It also carries a CVSS score of 7.8. While proof-of-concept code has been publicly disclosed, there have been no confirmed instances of this vulnerability being exploited in the wild to date.
Notably, these vulnerabilities are present even if the modem hardware is inactive. They affect all supported versions of Windows from Windows 10 onwards. Attackers do not need to interact with the hardware directly; a local exploit is sufficient to elevate their privileges.
Technical Breakdown
The following table provides a concise overview of the vulnerabilities:
| CVE ID | Description | CVSS Score | Exploit Status | Weakness |
|—————-|————————————————–|————|—————————————|——————–|
| CVE-2025-24990 | Untrusted Pointer Dereference in ltmdm64.sys | 7.8 | Actively Exploited (Functional PoC) | CWE-822 |
| CVE-2025-24052 | Stack-based Buffer Overflow in ltmdm64.sys | 7.8 | Proof-of-Concept Available | CWE-121 |
While specific indicators of compromise (IoCs) have not been detailed, Microsoft recommends scanning systems for the presence of the ltmdm64.sys driver to assess potential exposure.
Implications for Security
The exploitation of these zero-day vulnerabilities underscores the inherent risks associated with legacy drivers in contemporary computing environments. An attacker who gains an initial foothold—perhaps through phishing campaigns or malware deployment—can leverage these vulnerabilities to load the compromised driver, subsequently executing code that impersonates administrative functions.
In enterprise settings, such privilege escalation can lead to severe consequences, including:
– Domain Control: Attackers can gain control over domain controllers, compromising the entire network infrastructure.
– Data Exfiltration: Sensitive data can be accessed and extracted without detection.
– Ransomware Deployment: Malicious software can be installed to encrypt critical data, leading to operational disruptions and potential financial losses.
Fabian Mosch from r-tec IT Security highlighted that these exploits often target the driver loading process during system boot or service calls, effectively bypassing user-mode defenses and making detection more challenging.
Proof-of-Concept Insights
For CVE-2025-24990, the proof-of-concept involves crafting malformed input to the driver’s IOCTL (Input/Output Control) handler. This manipulation triggers the dereference of a controlled pointer, leading to unauthorized memory access.
In the case of CVE-2025-24052, the exploit focuses on inducing stack corruption through oversized buffers within modem emulation routines. Researchers have demonstrated that such exploitation can elevate privileges from a standard user to SYSTEM level without causing system crashes, indicating a high level of stealth and efficiency.
Microsoft’s Response and Recommendations
In response to these vulnerabilities, Microsoft’s October Patch Tuesday release included the complete removal of the ltmdm64.sys driver. This action renders any dependent Agere modems non-functional. Users who rely on fax hardware utilizing this driver will need to seek alternative solutions, as no backward compatibility options are provided.
Microsoft advises users to:
1. Apply the Latest Patches: Ensure that all systems are updated with the latest security patches to mitigate these vulnerabilities.
2. Audit for Driver Presence: Utilize tools like Autoruns to scan for the presence of the ltmdm64.sys driver and assess potential exposure.
3. Disable the Driver on Unpatched Systems: For systems that cannot be immediately patched, disable the driver through Device Manager or implement group policy settings to prevent its execution.
This incident serves as a stark reminder of the importance of phasing out outdated components within modern systems. Cybersecurity experts recommend implementing endpoint detection rules to identify anomalous driver loads and conducting regular vulnerability scans to proactively identify and address potential threats.
As exploitation of these vulnerabilities continues, organizations are urged to prioritize these fixes to prevent potential privilege escalation attacks and safeguard their systems against unauthorized access.
