Fixing and finding
Jump to remediation plan
CVE ID

CVE-2025-24990

Published 2025-10-14
Updated 6 months ago
Vendor/s
Microsoft
Product/s
Windows
Version/s
* > 10.0.10240.21161
KEV Status
Active Exploitation
Listed in CISA's Known Exploited Vulnerabilities catalogue. Active exploitation observed in the wild.
CVSS Score (v3.1)
7.8
/ 10
High
Severity Details
Base score
7.8 High
Attack vector
Local
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Description

CVE-2025-24990 is a high-severity vulnerability in the Windows Agere Modem driver. Learn about its impact, KEV status, and necessary remediation steps.

CPE

Microsoft logo
Microsoft
Product Version Start Version End (excl.) Status
windows_10_1507 * 10.0.10240.21161 vulnerable
windows_10_1607 * 10.0.14393.8519 vulnerable
windows_10_1809 * 10.0.17763.7919 vulnerable
windows_10_21h2 * 10.0.19044.6456 vulnerable
windows_10_22h2 * 10.0.19045.6456 vulnerable
windows_11_22h2 * 10.0.22621.6060 vulnerable
windows_11_23h2 * 10.0.22631.6060 vulnerable
windows_11_24h2 * 10.0.26100.6899 vulnerable
windows_11_25h2 * 10.0.26200.6899 vulnerable
windows_server_2008 - - vulnerable
windows_server_2008 r2 r2 vulnerable
windows_server_2012 - - vulnerable
windows_server_2012 r2 r2 vulnerable
windows_server_2016 * 10.0.14393.8519 vulnerable
windows_server_2019 * 10.0.17763.7919 vulnerable
windows_server_2022 * 10.0.20348.4294 vulnerable
windows_server_2022_23h2 * 10.0.25398.1913 vulnerable
windows_server_2025 * 10.0.26100.6899 vulnerable

Related weakness (CWE)

CWE-822

Remediation plan

1

Apply official patches

Install the October 2024 cumulative update or later for your specific Windows version. This update is designed to permanently remove the vulnerable ltmdm64.sys driver from the operating system to eliminate the attack surface.

2

Update affected systems

Verify that systems are running builds newer than the vulnerable versions, such as Windows 10 22H2 (build 10.0.19045.6456), Windows 11 23H2 (build 10.0.22631.6060), and Windows Server 2025 (build 10.0.26100.6899).

3

Restrict access

Given the local attack vector, enforce strict access controls and the principle of least privilege (PoLP). If patches cannot be applied immediately, manually disable or uninstall Agere Modem devices via Device Manager to prevent the driver from loading.

4

Monitor for exploitation

Use EDR and SIEM tools to monitor for unusual driver loading events or system crashes associated with ltmdm64.sys. Watch for unauthorized attempts to escalate privileges or unexpected kernel-mode activity originating from local user accounts.

Detection Guidance

Detection should focus on identifying the presence of the vulnerable driver file, ltmdm64.sys, typically located in the C:\Windows\System32\drivers directory. Security teams should use file integrity monitoring or vulnerability scanners to locate this file across the fleet. Additionally, monitor Windows Event Logs for System Error events or bugchecks (BSODs) that reference this specific driver, as these may indicate exploitation attempts or memory corruption associated with CWE-822.

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24990 Vendor Advisory https://www.vicarius.io/vsociety/posts/cve-2025-24990-detection-script-elevation-of-privilege-vulnerability-in-agere-modem-driver-affecting-windows Third Party Advisory https://www.vicarius.io/vsociety/posts/cve-2025-24990-mitigation-script-elevation-of-privilege-vulnerability-in-agere-modem-driver-affecting-windows Mitigation Third Party Advisory https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24990 US Government Resource

Sources

NIST National Vulnerability Database (NVD)
CISA Known Exploited Vulnerabilities (KEV)

Experience superior visibility and a simpler approach to cyber risk management

Get a demo
Free trial