CVE-2025-24990 Overview
CVE-2025-24990 is a vulnerability in the third-party Agere Modem driver (ltmdm64.sys) that ships natively with supported Windows operating systems. Microsoft has identified security issues within this legacy driver that could allow local attackers to elevate privileges on affected systems. The vulnerability has been addressed through the removal of the vulnerable driver in the October cumulative update.
This vulnerability is classified under CWE-822 (Untrusted Pointer Dereference), indicating that the driver improperly handles memory pointers, which can be exploited by a local attacker with low privileges to gain elevated access to the system.
Critical Impact
This vulnerability is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. Local attackers can leverage this driver vulnerability to achieve privilege escalation on affected Windows systems.
Affected Products
- Microsoft Windows 10 (versions 1507, 1607, 1809, 21H2, 22H2)
- Microsoft Windows 11 (versions 22H2, 23H2, 24H2, 25H2)
- Microsoft Windows Server 2008 (SP2 and R2 SP1)
- Microsoft Windows Server 2012 (including R2)
- Microsoft Windows Server 2016, 2019, 2022, 2022 23H2, and 2025
Discovery Timeline
- October 14, 2025 - CVE-2025-24990 published to NVD
- November 18, 2025 - Last updated in NVD database
Technical Details for CVE-2025-24990
Vulnerability Analysis
The vulnerability resides in the Agere Modem driver (ltmdm64.sys), a third-party legacy driver that has been bundled with Windows operating systems for decades to support fax modem hardware. The security flaw stems from improper handling of memory pointers within the driver code, classified as an Untrusted Pointer Dereference (CWE-822).
When exploited, this vulnerability allows a local attacker who already has low-level access to the system to manipulate the driver's memory operations, ultimately achieving code execution with elevated privileges. The exploitation requires local access, meaning the attacker must have some form of initial foothold on the target system.
Microsoft's response to this vulnerability was to completely remove the vulnerable driver from the Windows operating system rather than attempt to patch the legacy code. This approach ensures complete elimination of the attack surface, though it means that fax modem hardware dependent on this specific driver will no longer function on Windows systems.
Root Cause
The root cause of CVE-2025-24990 lies in the ltmdm64.sys driver's failure to properly validate memory pointers before dereferencing them. This is categorized as CWE-822 (Untrusted Pointer Dereference), where the driver trusts input data that specifies memory addresses without adequate verification.
Legacy drivers like the Agere Modem driver often predate modern security practices and may lack proper input validation, bounds checking, and pointer verification mechanisms that are standard in contemporary driver development. The driver's privileged kernel-mode execution context means that any exploitation can result in complete system compromise.
Attack Vector
The attack vector for CVE-2025-24990 is local, requiring the attacker to have existing access to the target system. The exploitation scenario involves:
- An attacker gains initial access to the system with low-level privileges
- The attacker crafts malicious input to interact with the vulnerable ltmdm64.sys driver
- Through improper pointer handling, the attacker can manipulate kernel memory
- Successful exploitation results in elevation of privileges, potentially granting SYSTEM-level access
This vulnerability requires no user interaction and has low attack complexity, making it an attractive target for post-compromise privilege escalation. The presence of this vulnerability in the CISA KEV catalog confirms that threat actors are actively exploiting it in real-world attacks.
The vulnerability affects x64 Windows systems where the vulnerable driver is present, spanning from legacy Windows Server 2008 through the latest Windows 11 and Windows Server 2025 releases.
Detection Methods for CVE-2025-24990
Indicators of Compromise
- Presence of the vulnerable ltmdm64.sys driver file on the system
- Unusual driver loading events for the Agere Modem driver on systems without fax modem hardware
- Unexpected privilege escalation attempts from low-privileged user accounts
- Anomalous kernel-mode memory access patterns associated with the modem driver
Detection Strategies
- Deploy endpoint detection tools to monitor for the presence and loading of ltmdm64.sys
- Implement driver integrity monitoring to detect attempts to interact with vulnerable legacy drivers
- Monitor for suspicious local privilege escalation activity following the exploitation pattern
- Leverage SentinelOne's behavioral AI to detect post-exploitation activity consistent with privilege escalation attacks
Monitoring Recommendations
- Enable Windows Event Logging for driver loading events (Event ID 7045 and related)
- Configure security monitoring to alert on unexpected driver installations or modifications
- Implement file integrity monitoring for the Windows System32 drivers directory
- Review the CISA Known Exploited Vulnerabilities Catalog for updated threat intelligence
How to Mitigate CVE-2025-24990
Immediate Actions Required
- Apply the October cumulative update from Microsoft that removes the vulnerable driver
- Inventory all systems to identify those with the ltmdm64.sys driver present
- Identify and document any business dependencies on fax modem hardware
- Plan for migration away from fax modem hardware that relies on this specific driver
Patch Information
Microsoft has addressed this vulnerability by removing the ltmdm64.sys driver entirely from the Windows operating system in the October cumulative update. This permanent removal eliminates the attack surface but will render fax modem hardware dependent on this specific driver non-functional.
Organizations should apply the latest Windows cumulative updates through Windows Update, Windows Server Update Services (WSUS), or Microsoft Update Catalog. The Microsoft Security Response Center advisory provides detailed guidance on affected versions and update procedures.
Workarounds
- Remove or disable the ltmdm64.sys driver manually if immediate patching is not possible
- Block driver loading through Windows Defender Application Control (WDAC) policies
- Isolate systems with legacy fax modem dependencies until they can be updated or decommissioned
- Consider migrating to modern fax solutions that do not rely on legacy modem hardware
# Check for presence of vulnerable driver
dir C:\Windows\System32\drivers\ltmdm64.sys
# Verify driver is not loaded (PowerShell)
Get-WmiObject Win32_SystemDriver | Where-Object {$_.Name -eq "ltmdm64"}
# Block driver via WDAC policy (requires appropriate policy configuration)
# Consult Microsoft documentation for WDAC implementation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
