CVE-2025-24052 is a stack-based buffer overflow vulnerability classified under CWE-121, found in the third-party Agere Modem driver (ltmdm64.sys) that ships natively with Windows 11 Version 25H2 (build 10.0.26200.0). The vulnerability allows an attacker with local privileges to execute arbitrary code by exploiting improper handling of data on the stack, leading to potential corruption of memory and control flow hijacking. The vulnerability impacts confidentiality, integrity, and availability of affected systems. Microsoft has acknowledged this issue and addressed it by removing the vulnerable ltmdm64.sys driver in the October cumulative update, which disables fax modem hardware dependent on this driver. The removal means that affected hardware will no longer function on updated Windows 11 systems, and organizations must remove dependencies on this hardware to avoid operational disruptions. The CVSS v3.1 score of 7.8 reflects high severity, with attack vector local (AV:L), low attack complexity (AC:L), requiring low privileges (PR:L), no user interaction (UI:N), and partial scope (S:U). The exploitability is rated as probable (E:P), with official remediation (RL:O) and confirmed fix (RC:C). No known exploits have been reported in the wild as of the publication date. The vulnerability was reserved early in 2025 and published in October 2025, indicating a relatively recent discovery and patch cycle. The technical impact includes potential arbitrary code execution and system compromise via local access, emphasizing the need for patching and hardware transition.

For European organizations, the impact of CVE-2025-24052 is significant, especially for those relying on legacy fax modem hardware integrated with Windows 11 Version 25H2. The removal of the vulnerable driver disables this hardware, potentially disrupting business processes that depend on fax communications. The vulnerability itself poses a high risk of local privilege escalation and arbitrary code execution, threatening sensitive data confidentiality, system integrity, and availability. Insider threats or compromised local accounts could exploit this vulnerability to gain elevated control over systems. Critical infrastructure sectors, healthcare, legal, and financial institutions that still use fax modems for secure communications may face operational challenges and increased risk exposure. The absence of known exploits in the wild provides a window for proactive mitigation, but the high severity score demands urgent attention. Failure to update systems or transition hardware could lead to exploitation attempts, data breaches, or service outages.

1. Immediately apply the October cumulative update for Windows 11 Version 25H2 to remove the vulnerable ltmdm64.sys driver and mitigate the vulnerability. 2. Conduct an inventory of all fax modem hardware dependent on the Agere Modem driver and develop a plan to replace or phase out this hardware to prevent operational disruptions. 3. Restrict local administrative privileges and monitor for unusual local activity that could indicate exploitation attempts. 4. Implement endpoint detection and response (EDR) solutions to identify suspicious behavior related to buffer overflow exploitation. 5. Educate IT staff and users about the risks associated with legacy hardware and the importance of applying updates promptly. 6. For organizations that must maintain fax capabilities, consider transitioning to secure digital fax solutions that do not rely on vulnerable hardware or drivers. 7. Regularly audit systems for compliance with update policies and verify that no legacy drivers remain active post-update. 8. Establish incident response procedures specifically addressing potential local privilege escalation scenarios.