Full Report
Microsoft has disclosed two critical zero-day vulnerabilities in the Agere Modem driver bundled with Windows operating systems, confirming active exploitation to escalate privileges. The flaws, tracked as CVE-2025-24990 and CVE-2025-24052, affect the ltmdm64.sys driver and could allow low-privileged attackers to gain full administrator access. These issues were patched in the October 2025 cumulative update, but […] The post Windows Agere Modem Driver 0-Day Vulnerabilities Actively Exploited To Escalate Privileges appeared first on Cyber Security News.
Analysis Summary
# Vulnerability: Active Exploitation of Windows Agere Modem Driver for Privilege Escalation
## CVE Details
- CVE ID: CVE-2025-24990, CVE-2025-24052
- CVSS Score: 7.8 (Important)
- CWE: CWE-822 (Untrusted Pointer Dereference for CVE-2025-24990), CWE-121 (Stack-based Buffer Overflow for CVE-2025-24052)
## Affected Systems
- Products: Microsoft Windows operating systems (via the Agere Modem driver component, `ltmdm64.sys`)
- Versions: All supported Windows versions (from Windows 10 onward)
- Configurations: Affects systems even if fax modem hardware is not actively in use.
## Vulnerability Description
Two distinct zero-day vulnerabilities exist in the `ltmdm64.sys` driver bundled with Windows.
1. **CVE-2025-24990 (CWE-822):** An untrusted pointer dereference flaw allows a local, low-privileged attacker to manipulate memory, potentially bypassing security boundaries and escalating privileges to SYSTEM level.
2. **CVE-2025-24052 (CWE-121):** A stack-based buffer overflow flaw in modem emulation routines allows an attacker to corrupt the stack, leading to privilege escalation to SYSTEM level.
Both flaws allow an attacker who already has an initial foothold on the system to escalate privileges to full administrator/SYSTEM access.
## Exploitation
- Status: CVE-2025-24990 is **Actively Exploited** (functional PoC exists). CVE-2025-24052 has **Proof-of-Concept Available**.
- Complexity: Low (Requires only local access).
- Attack Vector: Local
## Impact
- Confidentiality: High
- Integrity: High
- Availability: High
## Remediation
### Patches
- Both vulnerabilities were patched by Microsoft in the **October 2025 cumulative update**.
### Workarounds
- The vendor warns that **affected fax modem hardware will cease functioning** after the application of the subsequent patch that fixes these issues. No specific interim workarounds short of patching were detailed, implying that removing or disabling the modem hardware might be a temporary measure if patching is delayed, though this carries a functional risk.
## Detection
- **Indicators of Compromise (IoCs):** No specific IoCs related to the payload structure were detailed.
- **Detection methods and tools:** Microsoft urges organizations to scan for the presence of the vulnerable driver file: `ltmdm64.sys`. Exploits target driver loading during system boot or service calls.
## References
- [Vendor advisory for CVE-2025-24990](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-24990)
- [Vendor advisory for CVE-2025-24052](https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-24052)