What is the Agere Modem Driver?
The Agere Systems legacy fax modem driver (ltmdm64.sys) has shipped with Windows since approximately 2006 — originally included for compatibility with Agere/Lucent Technologies softmodem hardware. The driver was never substantively updated after initial release. By 2025, virtually no modern Windows system uses actual Agere fax modem hardware, yet the kernel-mode driver remained loaded on every Windows installation. Because it is a kernel-mode driver (ring 0), any exploitable vulnerability in ltmdm64.sys provides immediate SYSTEM-level code execution. Microsoft's resolution was to remove the driver entirely rather than attempt to patch 19-year-old code.
Overview
CVE-2025-24990 is an untrusted pointer dereference vulnerability (CWE-822) in the Windows Agere Modem Driver (ltmdm64.sys). The driver accepts IOCTL (I/O Control) requests from user-mode processes and fails to validate pointer values embedded in those requests before dereferencing them in kernel mode. A locally authenticated low-privilege attacker can send crafted IOCTL requests to the driver, causing the kernel to dereference an attacker-controlled pointer and corrupt kernel memory — enabling privilege escalation to administrator/SYSTEM. Microsoft confirmed active exploitation in the October 2025 Patch Tuesday and chose to remediate by removing ltmdm64.sys from all supported Windows versions rather than patching the legacy code.
Affected Versions
| Product | Vulnerable | Fixed |
|---|---|---|
| Windows 10 (1607–22H2, ESU) | All builds with ltmdm64.sys | October 2025 cumulative update (driver removed) |
| Windows 11 (21H2–24H2, 25H2) | All builds with ltmdm64.sys | October 2025 cumulative update (driver removed) |
| Windows Server 2008 R2–2025 | All builds with ltmdm64.sys | October 2025 cumulative update (driver removed) |
The fix removes ltmdm64.sys entirely — no workaround or configuration change is needed; the driver has no legitimate use on modern systems.
Technical Details
The untrusted pointer dereference (CWE-822) occurs in ltmdm64.sys's IOCTL handling code. When a user-mode process sends an IOCTL request to the driver via DeviceIoControl, the driver's dispatch routine accepts pointer values embedded in the IOCTL input buffer and dereferences them in kernel mode without validation.
An attacker sends a crafted IOCTL with an arbitrary kernel address as the pointer value. The driver dereferences this pointer in ring 0, reading from or writing to the specified kernel address. By crafting the IOCTL to write controlled data to specific kernel memory locations (such as a process token's privilege mask), the attacker escalates from a standard user account to SYSTEM-level privileges.
Companion vulnerability: CVE-2025-24052 (stack-based buffer overflow in the same driver) was patched simultaneously.
Key characteristics:
- Driver present on all Windows installations regardless of whether fax modem hardware exists
- Low-privilege local account required (PR:L) — any standard user suffices
- No user interaction required (UI:N)
- Low attack complexity (AC:L) — IOCTL crafting is well-understood
- Microsoft chose driver removal over patching — 19-year-old code deemed unfixable in a security-sound manner
Discovery
Security researcher @shitsecure identified the vulnerability and noted it was "a driver from 2006, never changed." Microsoft Threat Intelligence confirmed active exploitation before the October 2025 Patch Tuesday.
Exploitation Context
Microsoft marked CVE-2025-24990 as actively exploited in the October 2025 Patch Tuesday advisory, with "Functional" exploit code maturity at time of disclosure. Attackers used the driver as a second-stage privilege escalation component — combining it with an initial access vulnerability to escalate from a low-privilege foothold to SYSTEM. October 2025 Patch Tuesday addressed 177 security issues total; three were flagged as actively exploited. No specific threat actor was publicly named.
The removal of a kernel-mode driver — rather than patching it — as the remediation approach is extremely rare in Microsoft's patch history, reflecting the assessment that the legacy code was not safely fixable.
Remediation
- Apply the October 2025 cumulative update for your Windows version. The CISA deadline was November 4, 2025. The update removes
ltmdm64.sysautomatically — no additional steps required. - Verify the driver is removed post-update: check that
C:\Windows\System32\drivers\ltmdm64.sysno longer exists after the cumulative update is applied. - No hardware dependency: No modern system requires
ltmdm64.sysfor any supported function. Removal has no functional impact. - Audit for signs of exploitation: look for unexpected SYSTEM-privileged processes spawned from standard user processes before the patch date in Windows Event Log (Event ID 4688).
- Apply all three actively exploited October 2025 Patch Tuesday fixes: CVE-2025-24990, CVE-2025-59230 (RasMan LPE), and any other zero-days in the October 2025 cumulative update.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2025-24990 |
| Vendor / Product | Microsoft — Windows |
| NVD Published | 2025-10-14 |
| NVD Last Modified | 2025-11-18 |
| CVSS 3.1 Score | 7.8 |
| CVSS 3.1 Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Severity | HIGH |
| CWE | CWE-822 find similar ↗ |
| CISA KEV Added | 2025-10-14 |
| CISA KEV Deadline | 2025-11-04 |
| Known Ransomware Use | No |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2025-10-14 | Patched in October 2025 Patch Tuesday; Microsoft removes ltmdm64.sys driver from all supported Windows; CISA adds to KEV |
| 2025-11-04 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Microsoft Security Response Center — CVE-2025-24990 | Vendor Advisory |
| NVD — CVE-2025-24990 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |
| Windows Users Hacked Due to Legacy Fax Modem Driver | News |
| Windows Agere Modem Driver Zero-Day Exploited in the Wild | Security Research |