Critical Windows Driver Flaw Exploited in the Wild: Targets All Windows Versions

• No User Interaction Required – An attacker doesn’t need to trick employees into clicking malicious links or opening suspicious files. Once they have basic access to a system through any means, they can exploit this vulnerability silently in the background.

• Immediate Privilege Escalation – The vulnerability transforms a low-privileged user account into a full administrator account with SYSTEM-level rights. This is the highest level of access possible on a Windows machine, giving attackers complete control over the compromised computer.

• Universal Attack Surface – Because the vulnerable driver exists on every Windows installation by default, attackers know exactly where to find it and how to exploit it. There’s no guessing whether a particular system is vulnerable; if it’s running Windows and hasn’t been patched, it’s exploitable.

• Kernel-Mode Execution – The vulnerability allows attackers to run their malicious code at the deepest level of the operating system. This means they can disable security software, hide their activities from monitoring tools, install rootkits, steal sensitive data, or deploy ransomware with elevated permissions.

• Protection Bypass Capabilities – Advanced exploitation techniques allow attackers to disable critical Windows security features like Protected Process Light (PPL), which normally prevents even administrators from tampering with security-critical processes such as the Local Security Authority Subsystem Service (LSASS). By compromising LSASS, attackers can extract credentials for every user who has logged into the system.

Adding to the urgency, security researchers have also identified a companion vulnerability in the same driver tracked as CVE-2025-24052. This second flaw is a stack-based buffer overflow, and proof-of-concept exploit code has already been published publicly. While CVE-2025-24990 is confirmed to be exploited in active attacks, CVE-2025-24052 represents an imminent threat as cybercriminals can now easily weaponize the publicly available exploit code.

(Source: moiz-2x)

     Public Exploit Availability Increases Urgency

What separates CVE-2025-24990 from many other vulnerabilities is the rapid public disclosure of working exploit code following Microsoft’s patch release. Multiple security researchers, including moiz-2x who reported the bug to the Zero Day Initiative in September 2025, independently discovered variations of this vulnerability. These researchers have published detailed proof-of-concept exploits with full source code on GitHub, complete with technical documentation explaining exactly how the attacks work and demonstrating the vulnerability’s exploitation on live systems.

Key aspects of the public exploit disclosure:

• Multiple Working Exploits Available – At least four different proof-of-concept exploits have been published on GitHub with complete source code, technical writeups, and video demonstrations showing successful privilege escalation on various Windows versions.

• Detailed Technical Documentation – The public exploits include comprehensive explanations of the vulnerable IOCTL codes, memory manipulation techniques, and bypass methods for kernel address space layout randomization (ASLR), effectively providing a roadmap for would-be attackers.

• Advanced Exploitation Techniques Revealed – On Windows 11 22H2 and newer systems, the published exploits demonstrate how to leverage the ioring technique for more reliable and stable exploitation, requiring just two memory write operations to establish arbitrary read and write capabilities.

• BYOVD Attack Methods Documented – Since the vulnerable driver isn’t always loaded by default on newer systems, the public exploits demonstrate Bring Your Own Vulnerable Driver (BYOVD) techniques, showing attackers how to manually load the legitimately-signed Microsoft driver before exploitation.

• Protection Bypass Capabilities Exposed – The proof-of-concept code demonstrates how to disable critical Windows security features like Protected Process Light (PPL) on security-critical processes such as LSASS, enabling credential theft attacks that would normally be prevented.

• Script Kiddie Enablement – While the original zero-day exploitation may have been conducted by sophisticated threat actors, the public availability of working code with detailed instructions means that even less-skilled attackers can now integrate these exploits into their attack toolkits.

The existence of these public exploits dramatically lowers the barrier to entry for cybercriminals and significantly expands the pool of potential attackers who might target Houston businesses. This phenomenon transforms what was once a sophisticated nation-state level threat into something accessible to a much broader range of adversaries.

  Who’s Behind the Attack?

Microsoft’s Threat Intelligence team confirmed that CVE-2025-24990 has been actively exploited as a zero-day vulnerability, meaning attackers were using it before Microsoft even knew about the flaw. The vulnerability’s inclusion in the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities catalog signals that federal agencies have observed significant exploitation activity in real-world attacks.

Characteristics of the threat actors and exploitation activity:

• Advanced Persistent Threat Groups – APT organizations often seek privilege escalation exploits like CVE-2025-24990 to maintain persistent access within targeted networks, using kernel-level access to disable security monitoring and establish long-term footholds in victim environments.

• EDR Evasion Focus – Security researcher Fabian Mosch, one of the individuals credited with discovering and reporting the vulnerability, suggested that it may have been exploited specifically for Endpoint Detection and Response (EDR) evasion, allowing sophisticated attackers to blind security monitoring tools that would otherwise detect their activities.

• Ransomware Operator Integration – Ransomware groups could integrate this exploit into their attack chains, using it to elevate privileges after initial compromise and before deploying file-encrypting payloads across entire networks with administrative permissions.

• Credential Theft Operations – Cybercriminal groups focused on data theft can exploit the vulnerability to access sensitive information stored on compromised systems, particularly by disabling PPL protections and extracting credentials from LSASS for every user who has logged into the system.

• Broadening Attacker Pool – With working exploit code now publicly available on GitHub, the threat landscape has expanded beyond sophisticated actors to include less-skilled cybercriminals who can simply download and adapt existing code rather than developing their own exploitation techniques.

• Local Access Requirement – The vulnerability requires that attackers first obtain local access to target systems through other means such as phishing emails, compromised credentials, or supply chain attacks, after which they can leverage CVE-2025-24990 to escalate privileges and move laterally throughout the network.

What makes this particularly concerning for Houston businesses is the exploit’s reliability once weaponized, combined with the fact that any low-privileged user who has local access can exploit the vulnerability silently without requiring any interaction from employees.

  Who’s At Risk?

The short answer is everyone running Windows. This vulnerability affects:

All Desktop Windows Versions:

• Windows 10 (all versions from 1507 through 22H2)
• Windows 11 (versions 22H2, 23H2, 24H2, and 25H2)

All Server Versions:

• Windows Server 2008 Service Pack 2
• Windows Server 2016 and 2019
• Windows Server 2022 (including 23H2 Edition)
• Windows Server 2025

The vulnerability exists regardless of whether fax modem hardware is installed or in use. Even if your organization has never owned a fax machine, the vulnerable driver is present and exploitable. This universal presence makes CVE-2025-24990 particularly dangerous for Houston businesses of all sizes, from small professional services firms running a handful of workstations to larger enterprises with extensive server infrastructures.

Small and medium-sized businesses face elevated risk because they often have limited IT security resources to rapidly deploy patches across their environments. Healthcare practices, legal firms, manufacturing facilities, energy sector companies, and retail operations throughout the Houston and Katy areas all rely heavily on Windows systems for daily operations. An attacker who gains initial access through a phishing email or compromised vendor connection can quickly exploit this vulnerability to gain complete control over business-critical systems.

The public availability of working exploit code means that this vulnerability is no longer limited to sophisticated nation-state actors or well-funded cybercrime syndicates. Any attacker with basic programming skills can now download, study, and potentially weaponize these exploits. This democratization of attack capabilities means that Houston businesses face threats from a much broader range of adversaries than they might have just a few weeks ago.

  Microsoft’s Unusual Response

Rather than issuing a traditional security patch that would fix the vulnerability in the Agere Modem driver, Microsoft took the highly unusual step of completely removing the ltmdm64.sys driver from Windows. The October 2025 cumulative security update permanently deletes this file from all systems that install the update, representing a decisive break from the company’s typical approach of repairing vulnerable code while maintaining backward compatibility.

Key elements of Microsoft’s removal strategy:

• Complete Driver Elimination – The October cumulative update doesn’t patch the vulnerability; it removes the entire ltmdm64.sys driver file from the Windows drivers directory, eliminating the attack surface rather than attempting to secure decades-old third-party code.

• Legacy Code Assessment – Microsoft determined that the driver represents outdated third-party code supporting hardware that has largely become obsolete, with the company deciding that investing resources in securing this legacy functionality made little sense when few organizations actually need it.

• Historical Vulnerability Context – Security researchers discovered that the ltmdm64.sys driver has contained vulnerabilities since at least Windows 7, with at least one previous bug report that apparently didn’t result in a fix, suggesting a pattern of security issues in this aging codebase.

• Universal Default Installation – The vulnerable driver shipped by default with every Windows installation regardless of whether fax modem hardware was present or in use, creating an unnecessary attack surface on millions of systems that had no legitimate need for the functionality.

• Third-Party Component Challenges – As a third-party Agere Systems component included in Windows, the driver presented unique challenges for Microsoft in terms of maintaining, securing, and supporting code that the company didn’t originally develop.

• Hardware Compatibility Impact – Organizations still using fax modem hardware that depends on the Agere driver will find that equipment stops functioning after applying the October updates, requiring migration to alternative fax solutions or modern communication methods.

Microsoft’s removal strategy reflects a pragmatic assessment that eliminating attack surface entirely is sometimes more effective than attempting to secure legacy code, particularly when that code serves no practical purpose for the vast majority of users. For the small number of organizations still relying on affected fax modem hardware, Microsoft strongly recommends removing dependencies and migrating to supported alternatives, as the security risk of leaving systems unpatched far outweighs the inconvenience of replacing outdated technology.

  Remediation Steps

Immediate Actions Required:

1. Deploy October 2025 Cumulative Updates – Apply Microsoft’s October 2025 security updates to all Windows workstations and servers as quickly as possible. This update removes the vulnerable ltmdm64.sys driver from your systems. Organizations with large Windows deployments should prioritize these patches over other routine updates given the active exploitation of this vulnerability and public availability of exploit code.

2. Inventory Fax Modem Dependencies – Before patching, identify any systems that still rely on fax modem hardware using the Agere driver. These systems will lose fax functionality after the update. Plan to replace this hardware with modern alternatives before or immediately after patching.

3. Verify Patch Deployment – After deploying updates, confirm that the ltmdm64.sys file has been removed from your systems. The file should no longer exist in the Windows drivers directory following successful patch installation. Check the path C:\Windows\System32\drivers\ to verify the driver is absent.

4. Monitor for Exploitation Indicators – Review Windows Event Logs for signs of unusual driver loading activity or unexpected privilege escalation events. Pay particular attention to logs from the period before patches were applied to identify potential compromises that may have occurred. Look for suspicious instances of EnumDeviceDrivers API calls, which attackers use to bypass kernel address space layout randomization (ASLR).

5. Assess LSASS Protection Status – If you suspect compromise may have occurred before patching, verify that PPL protections on critical processes like LSASS remain intact. Attackers who successfully exploited this vulnerability may have disabled these protections to facilitate credential theft.

Additional Security Measures:

• Implement Least Privilege Access – Review and restrict user account permissions across your environment. The vulnerability requires local access to exploit, so limiting administrative privileges reduces the potential impact of a successful attack. Consider implementing just-in-time administrative access rather than standing administrative permissions.

• Deploy Application Control – Use technologies like AppLocker or Windows Defender Application Control to restrict what code can execute on your systems. These tools can prevent unauthorized drivers from loading even if new vulnerabilities are discovered. Configure policies to block the loading of unsigned or legacy drivers unless explicitly authorized.

• Strengthen Endpoint Detection – Ensure that endpoint detection and response (EDR) solutions are deployed and actively monitoring for kernel-mode exploitation attempts and unusual privilege escalation activity. Configure EDR tools to alert on suspicious IOCTL activity and unexpected driver loading patterns.

• Disable Unnecessary Legacy Hardware Support – Review Group Policy settings to disable support for other legacy hardware components that may introduce similar security risks without providing business value. Create an inventory of drivers installed across your environment and remove those that aren’t actively needed.

• Implement Network Segmentation – While this vulnerability requires local access, proper network segmentation can limit an attacker’s ability to move laterally after initial compromise. Ensure that workstations cannot directly access critical servers, and implement controls that restrict which systems can communicate with domain controllers.

Given that CISA added this vulnerability to their Known Exploited Vulnerabilities catalog with a remediation deadline of November 4, 2025 for federal agencies, all organizations should treat this as a high-priority patching event. The active exploitation combined with the universal attack surface and public exploit availability makes this one of the most significant Windows vulnerabilities disclosed in 2025.

 How CinchOps Can Help

CinchOps specializes in helping Houston and Katy area businesses protect themselves from exactly these types of critical vulnerabilities. Our managed IT support services ensure that your Windows systems receive security patches promptly and reliably, eliminating the dangerous window of exposure that occurs between vulnerability disclosure and patch deployment.

Our comprehensive approach includes:

• Proactive Patch Management – We monitor Microsoft’s security advisories continuously and deploy critical updates like the October 2025 patches across your environment before attackers can exploit newly disclosed vulnerabilities. Our managed services provider team handles testing, scheduling, and verification to ensure patches apply successfully without disrupting business operations. We maintain detailed patch compliance reports and ensure no systems are left vulnerable.

• 24/7 Security Monitoring – Our cybersecurity team watches for indicators of compromise on your network, including the types of privilege escalation attempts that CVE-2025-24990 enables. Early detection means we can contain threats before they cause serious damage. We monitor for suspicious driver loading activity, unusual IOCTL calls, and other exploitation indicators that might signal active attacks.

• Vulnerability Assessment – Regular security assessments identify not just missing patches, but also misconfigurations and security gaps that attackers could exploit to gain the initial access needed to leverage privilege escalation vulnerabilities. We inventory installed drivers, identify legacy components that should be removed, and ensure your Windows systems maintain the smallest possible attack surface.

• Incident Response Planning – If a vulnerability is exploited before patches can be deployed, we help you respond quickly to contain the damage, identify affected systems, and restore normal operations with minimal business disruption. Our incident response protocols include credential rotation, forensic analysis, and comprehensive system validation to ensure attackers haven’t established persistent access.

• Strategic IT Support – Beyond just deploying patches, we help Houston businesses modernize their IT infrastructure, replacing outdated systems and legacy components that introduce unnecessary security risks, like the obsolete fax modem drivers at the heart of this vulnerability. We work with you to eliminate technical debt and implement security-first architecture.

• Advanced Threat Detection – Our network security solutions monitor for the specific attack patterns associated with CVE-2025-24990 exploitation, including attempts to load vulnerable drivers, suspicious privilege escalation activity, and efforts to disable Protected Process Light security features. We maintain threat intelligence feeds that keep us informed about the latest exploitation techniques and emerging threats.

With zero onboarding fees, zero long-term contracts, and zero cybersecurity upcharge, CinchOps provides enterprise-grade managed IT support and network security that’s accessible to small and medium-sized businesses throughout Houston and Katy. Don’t leave your systems vulnerable to the next critical Windows exploit. Contact CinchOps today for a comprehensive security assessment and let us help you build a resilient defense against evolving cyber threats.