CVE-2025-24990
📋 TL;DR
This CVE describes an elevation of privilege vulnerability in the Agere Modem driver (ltmdm64.sys) that ships with Windows. Attackers could exploit this to gain SYSTEM privileges on affected systems. Organizations using fax modem hardware dependent on this driver are affected.
💻 Affected Systems
- Microsoft Windows
📦 What is this software?
Windows 10 1507 by Microsoft
Windows 10 1607 by Microsoft
Windows 10 1809 by Microsoft
Windows 10 21h2 by Microsoft
Windows 10 22h2 by Microsoft
Windows 11 22h2 by Microsoft
Windows 11 23h2 by Microsoft
Windows 11 24h2 by Microsoft
Windows 11 25h2 by Microsoft
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with SYSTEM privileges leading to complete control over the affected Windows system, data theft, and lateral movement within the network.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install malware, or access restricted system resources.
If Mitigated
No impact if the driver has been removed via the October cumulative update or if fax modem hardware is not in use.
🎯 Exploit Status
CISA has added this to their Known Exploited Vulnerabilities catalog, confirming active exploitation. Exploitation requires local access to the system.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: October 2024 cumulative update
Vendor Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24990
Restart Required: Yes
Instructions:
1. Install the October 2024 cumulative update for your Windows version. 2. The update removes the vulnerable ltmdm64.sys driver. 3. Restart the system to complete the installation.
🔧 Temporary Workarounds
Remove Agere Modem driver manually
windowsManually remove the vulnerable ltmdm64.sys driver if you cannot apply the patch immediately
sc stop ltmdm64
sc delete ltmdm64
del C:\Windows\System32\drivers\ltmdm64.sys
Disable fax services
windowsDisable Windows fax services to reduce attack surface
sc config Fax stop= disabled
sc stop Fax
🧯 If You Can't Patch
- Remove or disconnect fax modem hardware from affected systems
- Implement strict access controls to limit who can access systems with this hardware
🔍 How to Verify
Check if Vulnerable:
Check if ltmdm64.sys exists in C:\Windows\System32\drivers\ or if the Agere Modem driver is listed in Device Manager under ModemsCheck Version:
wmic qfe list | findstr "October 2024"Verify Fix Applied:
Verify the October 2024 cumulative update is installed and ltmdm64.sys is no longer present in the drivers directory📡 Detection & Monitoring
Log Indicators:
- Event ID 7045: Service installation for ltmdm64
- Unexpected SYSTEM privilege escalation events
- Driver loading events for ltmdm64.sys
Network Indicators:
- Unusual outbound connections from systems with fax modem hardware
SIEM Query:
EventID=7045 AND ServiceName="ltmdm64" OR ProcessName="ltmdm64.sys"🔗 References
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24990
- https://www.vicarius.io/vsociety/posts/cve-2025-24990-detection-script-elevation-of-privilege-vulnerability-in-agere-modem-driver-affecting-windows
- https://www.vicarius.io/vsociety/posts/cve-2025-24990-mitigation-script-elevation-of-privilege-vulnerability-in-agere-modem-driver-affecting-windows
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24990
