CVE-2025-24990
ltmdm64.sys -- untrusted pointer dereference in legacy Agere modem driver ships with every Windows installation
Exploited in the Wild
Actively exploited zero-day. Microsoft removed the driver entirely rather than patching it.
Summary
| Field | Value |
|---|---|
| Driver | ltmdm64.sys (Agere Modem Driver) |
| Vulnerability Class | Untrusted Pointer Dereference |
| CVSS | 7.8 |
| Exploited ITW | Yes |
| Patch Date | October 14, 2025 |
Root Cause
There is something almost absurd about this vulnerability. Every Windows installation ships with a legacy fax modem driver from the Agere Systems era, a component designed for hardware that practically no one has used in over a decade. Yet ltmdm64.sys loads, creates a device object, and exposes IOCTL handlers to any local user.
The driver uses METHOD_NEITHER for its IOCTL dispatch, which means the I/O manager passes the user-supplied buffer pointers directly to the driver without any validation or buffering. The driver is then responsible for verifying that those pointers originate from user-mode address space. ltmdm64.sys performs no such verification. An attacker can pass kernel addresses directly to DeviceIoControl, and the driver will dereference them.
This is not a subtle bug requiring heap grooming or race conditions. It is a raw, unvalidated pointer dereference. The attacker tells the driver "read from this kernel address" or "write to this kernel address," and the driver obliges.
Microsoft's response was telling: rather than patching the driver, they removed it from Windows entirely in the October 2025 update. The driver was dead code with no legitimate use case on modern hardware, and fixing it was less practical than deleting it.
Exploitation
Multiple public proof-of-concept exploits demonstrate the practical impact of this bug:
PPL bypass via I/O Ring technique. The untrusted pointer dereference gives the attacker the ability to read and write arbitrary kernel memory. One PoC uses this to locate the _EPROCESS structure of lsass.exe and clear its PPL (Protected Process Light) flags. With PPL disabled, the attacker can dump credentials from LSASS using standard tools like Mimikatz.
PPL elevation. Another approach goes the other direction: instead of stripping PPL from a protected process, the attacker sets PPL on an attacker-controlled process (such as notepad.exe), giving it protected process capabilities that allow it to interact with other protected processes.
Both techniques leverage the same primitive: the driver's willingness to dereference any address the caller provides, without checking whether that address belongs to user-mode or kernel-mode memory.
Exploitation Primitive
DeviceIoControl with kernel address (METHOD_NEITHER, no validation)
--> driver dereferences attacker-supplied kernel pointer
--> arbitrary kernel read/write primitive
--> PPL manipulation or token corruption --> SYSTEM
Detection
Behavioral Indicators
- Loading of
ltmdm64.syson systems where no modem hardware is present DeviceIoControlcalls to the Agere modem device from non-modem processes- PPL status changes on
lsass.exeor other protected processes
Broader Significance
CVE-2025-24990 is the clearest possible argument for auditing inbox drivers. A legacy modem driver, serving no purpose on modern systems, sat in every Windows installation for years with a trivial kernel read/write primitive accessible to any local user. The driver was not obscure: it was shipped by Microsoft as part of the base OS. The fix was not a code change but a deletion, acknowledging that the driver should never have been there in the first place. For anyone auditing Windows attack surface, the question becomes: how many other inbox drivers exist purely for backward compatibility and have never been reviewed against modern threat models?