CVE-2025-24990
ltmdm64.sys — untrusted pointer dereference in legacy Agere modem driver ships with every Windows installation
Exploited in the Wild
Actively exploited zero-day. Microsoft removed the driver entirely rather than patching it.
Summary
| Field | Value |
|---|---|
| Driver | ltmdm64.sys (Agere Modem Driver) |
| Vulnerability Class | Untrusted Pointer Dereference |
| CVSS | 7.8 |
| Exploited ITW | Yes |
| Patch Date | October 14, 2025 |
Root Cause
The Agere modem driver ships with every Windows installation despite being a legacy third-party component. Its IOCTL handlers use METHOD_NEITHER but never check whether the supplied address buffer originates from user-mode or kernel-mode. An attacker passes kernel addresses directly to DeviceIoControl, and the driver processes them without validation, giving an untrusted pointer dereference primitive.
Microsoft chose to remove ltmdm64.sys entirely from Windows in the October 2025 update rather than patching the driver.
Exploitation
Multiple public PoCs demonstrate exploitation:
- I/O Ring technique -- use the untrusted dereference to turn off PPL (Protected Process Light) on
lsass.exe, enabling credential dumping - PPL elevation -- set PPL on an attacker-controlled process (e.g.,
notepad.exe) to gain protected process capabilities
Exploitation Primitive
DeviceIoControl with kernel address (METHOD_NEITHER, no validation)
→ untrusted pointer dereference at arbitrary kernel address
→ PPL manipulation or kernel data corruption → SYSTEM
Detection
Behavioral Indicators
- Loading of
ltmdm64.syson systems where no modem hardware is present DeviceIoControlcalls to the Agere modem device from non-modem processes- PPL status changes on
lsass.exeor other protected processes