CVE-2025-24990: CWE-822: Untrusted Pointer Dereference in Microsoft Windows 11 Version 25H2
Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems. This is an announcement of the upcoming removal of ltmdm64.sys driver. The driver has been removed in the October cumulative update. Fax modem hardware dependent on this specific driver will no longer work on Windows. Microsoft recommends removing any existing dependencies on this hardware.
AI Analysis
Technical Summary
CVE-2025-24990 is a vulnerability classified under CWE-822 (Untrusted Pointer Dereference) found in the Agere Modem driver (ltmdm64.sys) that ships natively with Windows 11 Version 25H2 (build 10.0.26200.0). This driver handles fax modem hardware communication. The flaw allows a local attacker with low privileges to dereference untrusted pointers, potentially leading to arbitrary code execution in kernel mode. This can compromise system confidentiality, integrity, and availability without requiring user interaction. Microsoft has addressed this by removing the vulnerable driver in the October 2025 cumulative update, effectively disabling fax modem hardware dependent on it. The vulnerability has a CVSS v3.1 score of 7.8 (high), reflecting its significant impact and ease of exploitation given local access and low privileges. No public exploits are known, but the vulnerability's nature suggests a high risk if exploited. The removal of the driver means organizations must remove or replace legacy fax modem hardware or risk losing functionality. This change also signals a shift away from legacy modem support in modern Windows environments.
Potential Impact
For European organizations, the impact is twofold. First, any systems using fax modem hardware reliant on the Agere Modem driver will lose fax functionality after applying the update, potentially disrupting business processes that depend on fax communications, such as legal, healthcare, and governmental sectors where fax remains in use. Second, if the update is not applied, systems remain vulnerable to local privilege escalation attacks that could lead to full system compromise, data breaches, or ransomware deployment. The high severity and kernel-level code execution potential make this a critical risk for organizations with multi-user environments or shared workstations. The removal of the driver also forces modernization of legacy infrastructure, which may incur operational costs but ultimately improves security posture by eliminating vulnerable components.
Mitigation Recommendations
1. Immediately apply the October 2025 cumulative update from Microsoft to remove the vulnerable ltmdm64.sys driver. 2. Conduct an inventory of all systems to identify any that still use fax modem hardware dependent on the Agere Modem driver. 3. Plan and execute the removal or replacement of legacy fax modem hardware with modern alternatives, such as digital fax services or network-based fax solutions. 4. Restrict local access to systems where the update cannot be immediately applied to reduce exploitation risk. 5. Monitor system logs for any suspicious local activity that could indicate attempts to exploit this vulnerability. 6. Educate IT and security teams about the removal of this driver and the need to update operational procedures accordingly. 7. For critical environments where fax is essential, test alternative fax solutions before decommissioning legacy hardware to ensure business continuity.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Poland, Sweden, Austria
CVE-2025-24990: CWE-822: Untrusted Pointer Dereference in Microsoft Windows 11 Version 25H2
Description
Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems. This is an announcement of the upcoming removal of ltmdm64.sys driver. The driver has been removed in the October cumulative update. Fax modem hardware dependent on this specific driver will no longer work on Windows. Microsoft recommends removing any existing dependencies on this hardware.
AI-Powered Analysis
Technical Analysis
CVE-2025-24990 is a vulnerability classified under CWE-822 (Untrusted Pointer Dereference) found in the Agere Modem driver (ltmdm64.sys) that ships natively with Windows 11 Version 25H2 (build 10.0.26200.0). This driver handles fax modem hardware communication. The flaw allows a local attacker with low privileges to dereference untrusted pointers, potentially leading to arbitrary code execution in kernel mode. This can compromise system confidentiality, integrity, and availability without requiring user interaction. Microsoft has addressed this by removing the vulnerable driver in the October 2025 cumulative update, effectively disabling fax modem hardware dependent on it. The vulnerability has a CVSS v3.1 score of 7.8 (high), reflecting its significant impact and ease of exploitation given local access and low privileges. No public exploits are known, but the vulnerability's nature suggests a high risk if exploited. The removal of the driver means organizations must remove or replace legacy fax modem hardware or risk losing functionality. This change also signals a shift away from legacy modem support in modern Windows environments.
Potential Impact
For European organizations, the impact is twofold. First, any systems using fax modem hardware reliant on the Agere Modem driver will lose fax functionality after applying the update, potentially disrupting business processes that depend on fax communications, such as legal, healthcare, and governmental sectors where fax remains in use. Second, if the update is not applied, systems remain vulnerable to local privilege escalation attacks that could lead to full system compromise, data breaches, or ransomware deployment. The high severity and kernel-level code execution potential make this a critical risk for organizations with multi-user environments or shared workstations. The removal of the driver also forces modernization of legacy infrastructure, which may incur operational costs but ultimately improves security posture by eliminating vulnerable components.
Mitigation Recommendations
1. Immediately apply the October 2025 cumulative update from Microsoft to remove the vulnerable ltmdm64.sys driver. 2. Conduct an inventory of all systems to identify any that still use fax modem hardware dependent on the Agere Modem driver. 3. Plan and execute the removal or replacement of legacy fax modem hardware with modern alternatives, such as digital fax services or network-based fax solutions. 4. Restrict local access to systems where the update cannot be immediately applied to reduce exploitation risk. 5. Monitor system logs for any suspicious local activity that could indicate attempts to exploit this vulnerability. 6. Educate IT and security teams about the removal of this driver and the need to update operational procedures accordingly. 7. For critical environments where fax is essential, test alternative fax solutions before decommissioning legacy hardware to ensure business continuity.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- microsoft
- Date Reserved
- 2025-01-30T15:14:20.992Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68ee85823dd1bfb0b7e3e08c
Added to database: 10/14/2025, 5:16:50 PM
Last enriched: 1/2/2026, 10:19:03 PM
Last updated: 1/18/2026, 11:25:02 AM
Views: 267
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1118: SQL Injection in itsourcecode Society Management System
MediumCVE-2025-15537: Heap-based Buffer Overflow in Mapnik
MediumCVE-2025-15536: Heap-based Buffer Overflow in BYVoid OpenCC
MediumCVE-2025-15535: NULL Pointer Dereference in nicbarker clay
MediumCVE-2026-1059: SQL Injection in FeMiner wms
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.