CVE-2025-24990

Microsoft · Microsoft Multiple Products

A high-severity vulnerability has been identified in a third-party modem driver that is included with Microsoft Windows operating systems.

Executive summary

A high-severity vulnerability has been identified in a third-party modem driver that is included with Microsoft Windows operating systems. This flaw is being actively exploited by attackers and could allow them to take control of affected systems, leading to data theft or further network compromise. Due to the active exploitation and inclusion in the CISA KEV catalog, immediate patching is critical to mitigate significant security risks.

Vulnerability

The vulnerability exists within the Agere Modem driver, a component shipped with supported versions of Microsoft Windows. The flaw is likely a memory corruption issue, such as a buffer overflow, which can be triggered when the driver processes specially crafted data sent to the modem interface. An attacker could exploit this vulnerability to execute arbitrary code with elevated (kernel-level) privileges, leading to a complete compromise of the underlying operating system.

Business impact

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could grant an attacker full control over an affected workstation or server, bypassing standard security controls. The potential business impact is severe and includes unauthorized access to sensitive data, deployment of ransomware, system instability, and the use of the compromised machine as a pivot point for further attacks within the network. Its inclusion in the CISA KEV catalog confirms it presents a clear and present danger to the organization.

Remediation

Immediate Action: Apply the security updates released by Microsoft to all affected systems immediately. After patching, monitor systems for any signs of post-exploitation activity and review system and network access logs for anomalous behavior preceding the patch deployment.

Proactive Monitoring: Monitor for unusual driver behavior, such as unexpected crashes or restarts logged in the Windows Event Viewer. Network monitoring should focus on identifying anomalous traffic patterns associated with the modem interface. Endpoint Detection and Response (EDR) solutions should be configured to alert on suspicious processes originating from or interacting with the Agere Modem driver.

Compensating Controls: If immediate patching is not feasible, consider disabling the Agere modem device through the Windows Device Manager if it is not critical for business operations. Implement network segmentation to isolate potentially vulnerable systems and restrict their ability to communicate with critical assets, thus limiting the potential impact of a compromise.

Exploitation status

Public Exploit Available: true

Analyst recommendation

Given the high severity of this vulnerability (CVSS 7.8) and its confirmed status as a known exploited vulnerability by CISA, we recommend immediate and urgent action. Organizations must prioritize the deployment of the vendor-supplied security patches to all affected endpoints before the CISA KEV deadline of November 3, 2025. Failure to remediate this vulnerability in a timely manner exposes the organization to a high likelihood of system compromise.

Look Back #1

A look back, with hindsight

Published 2026-05-21. Reviewed with sources that didn't exist at disclosure time.

Backstory

The ltmdm64.sys driver traces back to Lucent Microelectronics, the chip business spun out of AT&T's breakup that supplied the LT WinModem family of 56K controllerless modems shipped in millions of late-1990s consumer PCs. The WinModem concept — popularized alongside the 1997 AC'97 audio/modem codec standard — offloaded most signal-processing work to the host CPU and was the dial-up modem of choice for OEMs that wanted to skip a discrete DSP.

The ownership chain then moved through corporate history almost as a museum exhibit. Lucent's microelectronics group was incorporated as Agere Systems in August 2000, spun off in 2002, merged into LSI Corporation in April 2007, acquired by Avago Technologies in 2014, and rebadged as Broadcom shortly after. Through every one of those handoffs the kernel-mode driver kept its original Lucent-era code lineage, but no successor company retained an active product line around it.

Microsoft kept the driver in the in-box bundle as a compatibility convenience. Agere/LSI soft modems shipped on so many OEM systems that bundling the driver meant any dial-up or fax modem of that family would simply work after a Windows reinstall — a non-trivial detail for telephony, point-of-sale, and government users who continued operating analog modem hardware long after consumer dial-up faded. Microsoft only began publicly signaling broader cleanup of legacy drivers in June 2025, framed as a security hygiene effort.

Microsoft disclosed CVE-2025-24990 on October 14, 2025, alongside the already-public CVE-2025-24052 stack overflow in the same binary. Rather than patch third-party kernel code whose original vendor no longer exists in any maintaining form, Microsoft pulled the driver from the OS image in the October 2025 cumulative updates. The company followed the same pattern in January 2026 with KB5074109, removing agrsm64.sys, agrsm.sys, smserl64.sys, and smserial.sys, citing unresolved kernel-level vulnerabilities including CVE-2023-31096 in the Broadcom/LSI PCI-SV92EX driver. Two removals in three months mark this as a sustained policy shift, not a one-time exception.

Technical analysis (revisited)

NVD classifies the bug as CWE-822 — Untrusted Pointer Dereference, with CVSS v3.1 7.8 along the AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H vector. The attack primitive is straightforward: code running as a low-privileged local user reaches the driver's I/O interface, passes attacker-controlled data that the driver treats as a kernel pointer, and rides the resulting dereference into SYSTEM-privileged code execution.

The hindsight finding that matters most is not in the bug itself but in its reachability. Arctic Wolf, Tenable, and SOC Prime all noted independently that the vulnerable files are present on every supported Windows installation, not just systems with physical modem hardware. The driver ships in the image; the absence of a 56K modem does nothing to disable it. Any local-execution primitive — phished credential, drive-by browser exploit, malicious installer — pivots through this bug to kernel.

The researchers credited with the discovery, Fabian Mosch and Jordan Jay, have not published a full technical writeup. The only public tradecraft hint is Mosch's hypothesis, quoted in early reporting, that the driver "might have been exploited for EDR evasion." Useful EDR-evasion primitives in third-party in-box drivers are rare and valuable; the hypothesis is unconfirmed but consistent with the operational pattern of "exploited in the wild" without a named campaign. Public proof-of-concept code now exists; CVE Brief does not link it.

Lifecycle timeline

2025-01-30 — MITRE CVE-2025-24990 reserved
2025-10-14 — Microsoft MSRC advisory published (Windows Agere Modem Driver EoP, CVSS 7.8)
2025-10-14 — NVD entry published (CVSS v3.1 7.8 HIGH, CWE-822)
2025-10-14 — CISA KEV added (Microsoft Windows untrusted pointer dereference)
2025-10-14 — Patches released across all supported Windows versions: Win10 LTSB 1507 (KB5066837), Win10 1607 / Server 2016 (KB5066836), Win10 1809 / Server 2019 (KB5066586), Win10 21H2/22H2 (KB5066791), Win11 22H2/23H2 (KB5066793), Win11 24H2 / 25H2 / Server 2025 (KB5066835), Server 2022 (KB5066782), Server 23H2 (KB5066780), Server 2012 R2 (KB5066873), Server 2012 (KB5066875), Server 2008 R2 (KB5066876)
2025-10-14 — Tenable Nessus plugin 270371 published (KB5066835 detection coverage)
2025-11-04 — CISA KEV remediation deadline for federal agencies (21 days from KEV add)

Real-world outcome

Microsoft's advisory marked the bug as "Exploitation Detected" at release, which is the trigger for same-day KEV listing. Seven months later, no specific threat actor, malware family, or ransomware operator has been publicly tied to CVE-2025-24990 in primary sources. CISA's KEV record explicitly lists knownRansomwareCampaignUse as Unknown. Microsoft Threat Intelligence has not published a follow-up blog naming an operator, and Cisco Talos — which typically ships network detection content for prominent exploited bugs — did not issue a Snort signature, consistent with the bug being a local-only EoP that does not traverse the wire.

This is the more common outcome for "exploited at disclosure" Windows EoPs than the headline-grabbing alternative. Exploitation telemetry collected by endpoint vendors and Microsoft itself is rarely tied to a single CVE in public disclosure even when the affected vendor confirms in-the-wild use. The absence of public attribution is not evidence of absence — it is, more often, evidence that the exploit chain is one rung in a longer ladder used by operators who have no incentive to advertise it. Mosch's EDR-evasion hypothesis offers one plausible reason a kernel-EoP primitive in a forgotten third-party driver would be operationally valuable to threat groups that prefer not to be named.

Lessons

The lesson is not "patch faster." The October 2025 cumulative updates landed on every supported Windows version on disclosure day; organizations on a standard patch cadence got the fix before federal agencies even hit their KEV deadline. The lesson is upstream of patching: third-party kernel drivers retained in your default OS image past their hardware's relevant lifetime are inherited attack surface that pays no operational dividend. The Agere modem driver had no maintaining vendor after Lucent's spin-off chain dissolved into Broadcom in 2014, and Microsoft kept shipping it for another decade.

The defensive moves that follow:

Audit the default in-box driver set on your standard Windows images quarterly. The list is enumerable via pnputil /enum-drivers or by inspecting %SystemRoot%\System32\DriverStore. Drivers no system in your fleet has loaded in the last 12 months are candidates for removal at the image level.
Treat Microsoft's legacy-driver removal initiative as the policy direction it appears to be, not a one-off. October 2025 removed ltmdm64.sys; January 2026 removed four more legacy modem drivers. Expect more.
For unmaintained third-party kernel components your platform vendor still bundles, push the vendor to delete rather than retain. The Capcom.sys and Bandai Namco driver precedents establish that this is a legitimate response when no upstream maintainer exists.