CVE-2025-24990

HighCISA KEVActive Exploitation

Published: 14 October 2025

Published

14 October 2025

Modified

18 November 2025

KEV Added

14 October 2025

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0276 86.1th percentile

Risk Priority 37 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24990 is a high-severity Untrusted Pointer Dereference (CWE-822) vulnerability in Microsoft Windows Server 2008. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 13.9% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Flaw remediation directly mitigates this vulnerability by applying the October cumulative update that removes the vulnerable ltmdm64.sys driver.

SI-5 Security Alerts, Advisories, and Directives good match

preventdetect

Monitoring security alerts and directives from MSRC and CISA KEV catalog ensures timely awareness and response to this actively exploited vulnerability.

RA-5 Vulnerability Monitoring and Scanning good match

detect

Vulnerability scanning detects the presence of the vulnerable ltmdm64.sys driver on systems prior to remediation.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

Why these techniques?

The vulnerability enables local low-privileged attackers to achieve privilege escalation via exploitation of the vulnerable driver (CWE-822), directly mapping to T1068: Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems. This is an announcement of the upcoming removal of ltmdm64.sys driver. The driver has been removed in the October cumulative…

update. Fax modem hardware dependent on this specific driver will no longer work on Windows. Microsoft recommends removing any existing dependencies on this hardware.

Deeper analysisAI

CVE-2025-24990 affects the third-party Agere Modem driver, specifically ltmdm64.sys, which ships natively with supported Windows operating systems. This vulnerability, associated with CWE-822 (Untrusted Pointer Dereference), has a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Microsoft has announced the removal of the driver due to these issues, with the driver already excised in the October cumulative update.

A local attacker with low privileges can exploit the vulnerability through low-complexity means requiring no user interaction. Exploitation enables high-impact consequences on confidentiality, integrity, and availability, facilitating elevation of privilege on affected Windows systems.

Microsoft advisories state that the ltmdm64.sys driver has been removed via the October cumulative update, rendering dependent fax modem hardware non-functional on Windows. The company recommends eliminating any existing dependencies on this hardware. Additional guidance includes detection and mitigation scripts from Vicarius, with the vulnerability documented on MSRC and listed in CISA's Known Exploited Vulnerabilities Catalog.

The presence in CISA's KEV catalog indicates active real-world exploitation.

Details

CWE(s): CWE-822
KEV Date Added: 14 October 2025

Affected Products

microsoft

windows 10 1507

≤ 10.0.10240.21161

microsoft

windows 10 1607

≤ 10.0.14393.8519

microsoft

windows 10 1809

≤ 10.0.17763.7919

microsoft

windows 10 21h2

≤ 10.0.19044.6456

microsoft

windows 10 22h2

≤ 10.0.19045.6456

microsoft

windows 11 22h2

≤ 10.0.22621.6060

microsoft

windows 11 23h2

≤ 10.0.22631.6060

microsoft

windows 11 24h2

≤ 10.0.26100.6899

microsoft

windows 11 25h2

≤ 10.0.26200.6899

microsoft

windows server 2008

all versions, r2

+6 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-59230Same product: Microsoft Windows 10 1507both on KEV

CVE-2025-21418Same product: Microsoft Windows 10 1607both on KEV

CVE-2025-21358Same product: Microsoft Windows 10 1507

CVE-2025-21391Same product: Microsoft Windows 10 1507both on KEV

CVE-2026-21533Same product: Microsoft Windows 10 1607both on KEV

CVE-2026-32077Same product: Microsoft Windows 10 1607

CVE-2026-27919Same product: Microsoft Windows 10 1607

CVE-2026-27920Same product: Microsoft Windows 10 1607

CVE-2026-21519Same product: Microsoft Windows 10 1607both on KEV

CVE-2025-24985Same product: Microsoft Windows 10 1507both on KEV

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24990
Vendor Advisory · secure@microsoft.com
https://www.vicarius.io/vsociety/posts/cve-2025-24990-detection-script-elevation-of-privilege-vulnerability-in-agere-modem-driver-affecting-windows
Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-24990-mitigation-script-elevation-of-privilege-vulnerability-in-agere-modem-driver-affecting-windows
Mitigation, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-24990
US Government Resource · 134c704f-9b21-4f2e-91b3-4a467353bcc0