CVE-2025-24052 Overview
CVE-2025-24052 is a stack-based buffer overflow vulnerability [CWE-121] in the third-party Agere Modem driver ltmdm64.sys that ships natively with supported Windows operating systems. Microsoft disclosed the flaw on October 14, 2025, and removed the driver in the October cumulative update. A local, authenticated attacker can trigger the overflow to achieve elevated code execution on affected Windows client and server platforms. Because the driver was shipped in-box across two decades of Windows releases, the exposure surface spans Windows 10, Windows 11, and Windows Server 2008 through Windows Server 2025. Fax modem hardware dependent on this driver no longer functions after the update.
Critical Impact
Local privilege escalation to kernel context via a stack-based buffer overflow in ltmdm64.sys, impacting Windows 10, Windows 11, and Windows Server editions from 2008 through 2025.
Affected Products
- Microsoft Windows 10 (1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (22H2, 23H2, 24H2, 25H2)
- Microsoft Windows Server 2008, 2012, 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- 2025-10-14 - CVE CVE-2025-24052 published to NVD
- 2025-10-14 - Microsoft releases October cumulative update removing ltmdm64.sys
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-24052
Vulnerability Analysis
The vulnerability resides in ltmdm64.sys, the Agere Systems soft modem driver bundled with Windows. The driver contains a stack-based buffer overflow [CWE-121] reachable from local user context. Because ltmdm64.sys executes in kernel mode, successful exploitation grants an attacker the ability to corrupt kernel memory, leading to full compromise of confidentiality, integrity, and availability on the host.
Exploitation requires local access and low privileges but no user interaction. An attacker who has already obtained a foothold on a workstation or terminal server can use the flaw to escape restricted user contexts, disable endpoint controls, install persistent implants, or pivot laterally using harvested credentials. Microsoft chose to remove the driver entirely rather than patch it, given its third-party origin and the deprecation of dial-up fax modem hardware.
Root Cause
The root cause is improper bounds checking on data written to a fixed-size stack buffer inside routines of the ltmdm64.sys driver. When attacker-controlled input exceeds the allocated stack region, adjacent stack frame data such as saved return addresses and function pointers are overwritten. In kernel context, this corruption can be steered toward controlled instruction pointer redirection.
Attack Vector
The attack vector is local. An authenticated user issues crafted I/O requests, likely through IOCTLs or device interface calls exposed by ltmdm64.sys, that pass oversized or malformed buffers into the vulnerable routine. The driver processes the input on the kernel stack without validating length, triggering the overflow. Successful chains typically culminate in arbitrary kernel-mode code execution and SYSTEM-level privileges. See the Microsoft Security Update CVE-2025-24052 advisory for vendor detail.
No public proof-of-concept exploit code is available at the time of publication, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.
Detection Methods for CVE-2025-24052
Indicators of Compromise
- Presence of ltmdm64.sys in %SystemRoot%\System32\drivers\ on systems that have not applied the October 2025 cumulative update.
- Unexpected kernel bugchecks referencing ltmdm64.sys in MEMORY.DMP or Windows Event Log entries with source BugCheck.
- Non-administrative processes opening handles to modem device objects such as \\.\Modem on systems without legitimate fax hardware.
Detection Strategies
- Inventory endpoints for the file ltmdm64.sys and correlate against patch status to identify unremediated hosts.
- Monitor kernel driver load events (Windows Event ID 6, Sysmon Event ID 6) for ltmdm64.sys after the October 2025 update should have removed it.
- Alert on privilege escalation patterns following non-privileged process access to modem device interfaces.
Monitoring Recommendations
- Enable and forward Windows Kernel-PnP and driver installation events to a central SIEM or data lake for retrospective hunting.
- Track process integrity level transitions from Medium to System on hosts where the vulnerable driver is present.
- Review crash telemetry for repeat faults involving the Agere Modem driver, which may indicate exploitation attempts.
How to Mitigate CVE-2025-24052
Immediate Actions Required
- Deploy the October 2025 Windows cumulative update to all affected Windows 10, Windows 11, and Windows Server systems, which removes ltmdm64.sys.
- Audit endpoints and servers for the continued presence of ltmdm64.sys and prioritize any hosts where the file remains after patching.
- Restrict local logon rights on servers and administrative workstations to reduce the pool of users capable of triggering the local attack vector.
Patch Information
Microsoft addressed CVE-2025-24052 by removing the ltmdm64.sys driver in the October 2025 cumulative update rather than issuing a code fix. Refer to the Microsoft Security Update CVE-2025-24052 guide for update KB identifiers per Windows version. Fax modem hardware dependent on this driver will no longer function; Microsoft recommends migrating away from any hardware requiring ltmdm64.sys.
Workarounds
- On systems where the cumulative update cannot be applied immediately, disable and block the driver using a Windows Defender Application Control (WDAC) or AppLocker policy that denies loading of ltmdm64.sys.
- Remove or rename the driver file from %SystemRoot%\System32\drivers\ltmdm64.sys and delete associated service registry keys to prevent load on reboot.
- Enforce least privilege and prohibit interactive logon by standard users on servers exposed to multi-user workloads.
# Verify the vulnerable driver is no longer present after patching (PowerShell)
Get-ChildItem -Path "$env:SystemRoot\System32\drivers\ltmdm64.sys" -ErrorAction SilentlyContinue
# Query the associated service state
sc.exe query ltmdmmodem
# If still present, disable the service pending patch deployment
sc.exe config ltmdmmodem start= disabled
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

