CVE-2025-24052

Q: What is the severity of CVE-2025-24052?

CVE-2025-24052 has a CVSS score of 7.8 (HIGH). This CVE addresses vulnerabilities in the third-party Agere Modem driver (ltmdm64.sys) that ships with Windows. Exploitation could allow attackers to execute arbitrary code with kernel privileges. Only systems using fax modem hardware dependent on this specific driver are affected.

7.8 HIGH

📋 TL;DR

This CVE addresses vulnerabilities in the third-party Agere Modem driver (ltmdm64.sys) that ships with Windows. Exploitation could allow attackers to execute arbitrary code with kernel privileges. Only systems using fax modem hardware dependent on this specific driver are affected.

💻 Affected Systems

Products:

Microsoft Windows

Versions: All supported Windows versions with ltmdm64.sys driver present

Operating Systems: Windows 10, Windows 11, Windows Server 2016, Windows Server 2019, Windows Server 2022

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if Agere modem hardware is installed and using ltmdm64.sys driver. Most modern systems do not have this hardware.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise via kernel-level arbitrary code execution leading to persistent backdoor installation, data theft, or ransomware deployment.

🟠

Likely Case

Local privilege escalation allowing attackers to gain SYSTEM privileges on compromised systems.

🟢

If Mitigated

Minimal impact if driver is removed and no vulnerable hardware is present.

🌐 Internet-Facing: LOW - Requires local access or existing foothold on system.

🏢 Internal Only: MEDIUM - Internal attackers or malware with local execution could exploit this for privilege escalation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires local access to system. No public exploits known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: October 2024 cumulative update or later

Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24052

Restart Required: Yes

Instructions:

1. Install October 2024 cumulative update via Windows Update. 2. Verify ltmdm64.sys is removed from system. 3. Remove any Agere modem hardware if present.

🔧 Temporary Workarounds

Manual driver removal

windows

Remove the vulnerable driver file from system

del /f /q C:\Windows\System32\drivers\ltmdm64.sys
sc delete ltmdm64

🧯 If You Can't Patch

Remove Agere modem hardware from all systems
Implement strict local privilege management and application control policies

🔍 How to Verify

Check if Vulnerable:

Check if ltmdm64.sys exists in C:\Windows\System32\drivers\

Check Version:

wmic qfe list | findstr "KB"

Verify Fix Applied:

Verify ltmdm64.sys is not present and October 2024 update is installed

📡 Detection & Monitoring

Log Indicators:

Driver load events for ltmdm64.sys
Unexpected kernel-mode process creation

Network Indicators:

Unusual modem/fax communication from systems

SIEM Query:

EventID=6 OR EventID=7 AND (DriverName="ltmdm64.sys" OR ImagePath="*ltmdm64*")

📊 Metadata

CVE ID: CVE-2025-24052

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

EPSS Score: 0.19% exploit probability (41.2th percentile)

Published: October 14, 2025

Last Updated: October 20, 2025

🔗 References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24052 Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Windows 10 1507 by Microsoft

Windows 10 1607 by Microsoft

Windows 10 1809 by Microsoft

Windows 10 21h2 by Microsoft

Windows 10 22h2 by Microsoft

Windows 11 22h2 by Microsoft

Windows 11 23h2 by Microsoft

Windows 11 24h2 by Microsoft

Windows 11 25h2 by Microsoft

Windows Server 2008 by Microsoft