CVE-2025-24052 is a stack-based buffer overflow vulnerability classified under CWE-121 found in the Agere Modem driver (ltmdm64.sys) included in Windows 11 Version 25H2 (build 10.0.26200.0). This driver is responsible for interfacing with fax modem hardware. The vulnerability allows an attacker with local privileges to execute arbitrary code by exploiting a buffer overflow condition, which can lead to full compromise of the affected system’s confidentiality, integrity, and availability. The CVSS v3.1 score is 7.8 (high), with an attack vector of local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), and no user interaction (UI:N). The scope is unchanged (S:U), and the impact is high across confidentiality, integrity, and availability (C:H/I:H/A:H). Microsoft has addressed this vulnerability by removing the vulnerable ltmdm64.sys driver in the October cumulative update, which disables fax modem hardware dependent on this driver. The removal indicates that Microsoft is deprecating support for this legacy hardware due to security risks. No public exploits or active exploitation have been reported yet. Organizations using fax modems relying on this driver must plan for hardware replacement or alternative communication methods. The vulnerability was reserved in January 2025 and published in October 2025, indicating a relatively recent discovery and patch cycle.

The vulnerability poses a significant risk to organizations using Windows 11 Version 25H2 with fax modem hardware dependent on the Agere Modem driver. Exploitation can lead to arbitrary code execution with high impact on system confidentiality, integrity, and availability, potentially allowing attackers to gain control over affected systems. For European organizations, particularly those in sectors such as healthcare, legal, and government where fax communication remains in use, this vulnerability could disrupt critical communication infrastructure. The removal of the driver in the update disables fax modem functionality, potentially impacting business operations that rely on legacy fax hardware. Additionally, the need to remove dependencies on this hardware may require operational changes and investment in alternative technologies. Since exploitation requires local access and low privileges, insider threats or compromised local accounts represent the main attack vectors. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits post-disclosure.

1. Apply the October cumulative update for Windows 11 Version 25H2 immediately to remove the vulnerable ltmdm64.sys driver and mitigate the vulnerability. 2. Identify and inventory all systems using fax modem hardware dependent on the Agere Modem driver and plan for their replacement or decommissioning. 3. Transition to modern, secure communication methods that do not rely on legacy fax modems to avoid operational disruption. 4. Implement strict local access controls and monitor for suspicious local privilege escalation attempts to reduce the risk of exploitation. 5. Employ endpoint detection and response (EDR) solutions to detect anomalous behavior indicative of exploitation attempts. 6. Educate IT and security teams about the deprecation of this driver and the need to update operational procedures accordingly. 7. For organizations where fax modems are critical, consider network segmentation and additional hardening to isolate affected systems. 8. Maintain up-to-date backups and incident response plans to quickly recover from potential exploitation.