Microsoft has confirmed a security issue in the legacy Agere soft‑modem driver (the ltmdm64.sys component) and taken the unusual step of removing that third‑party driver from supported Windows releases—removal that appears in the October cumulative package and means affected fax/modem hardware that depends on this driver will no longer function on updated Windows systems.
The Agere (formerly Lucent/LSI) soft‑modem family and its associated Windows driver files such as ltmdm64.sys have a long history in consumer and OEM hardware dating back to the Windows Vista/7 era. Those drivers provided analog data and fax modem support on many OEM laptops and add‑in cards; however, they are legacy components rarely used by modern hardware. Third‑party security research and Microsoft’s advisory process have recently focused on vulnerabilities in older, unsigned, or unsupported drivers because kernel‑level flaws in drivers are high‑impact: they can permit local elevation of privilege or kernel compromise.
In this case, Microsoft’s security documentation lists a specific CVE identifier—CVE‑2025‑24052—related to the Agere modem driver and states the vendor is removing ltmdm64.sys from the OS package. According to Microsoft’s update guide entry, the driver has been removed in the October cumulative update and systems that rely on that driver (notably fax modems and certain analog modem devices) will stop working; administrators are advised to remove dependencies on that hardware. The company’s decision is a deprecation/removal action rather than a conventional patch that leaves functionality intact.
Because Microsoft moved to remove the driver rather than attempt a vendor patch or in‑place mitigation, this action has immediate operational implications for anyone still using Agere‑based modems.
Source: MSRC Security Update Guide - Microsoft Security Response Center
The Agere (formerly Lucent/LSI) soft‑modem family and its associated Windows driver files such as ltmdm64.sys have a long history in consumer and OEM hardware dating back to the Windows Vista/7 era. Those drivers provided analog data and fax modem support on many OEM laptops and add‑in cards; however, they are legacy components rarely used by modern hardware. Third‑party security research and Microsoft’s advisory process have recently focused on vulnerabilities in older, unsigned, or unsupported drivers because kernel‑level flaws in drivers are high‑impact: they can permit local elevation of privilege or kernel compromise. In this case, Microsoft’s security documentation lists a specific CVE identifier—CVE‑2025‑24052—related to the Agere modem driver and states the vendor is removing ltmdm64.sys from the OS package. According to Microsoft’s update guide entry, the driver has been removed in the October cumulative update and systems that rely on that driver (notably fax modems and certain analog modem devices) will stop working; administrators are advised to remove dependencies on that hardware. The company’s decision is a deprecation/removal action rather than a conventional patch that leaves functionality intact.
Because Microsoft moved to remove the driver rather than attempt a vendor patch or in‑place mitigation, this action has immediate operational implications for anyone still using Agere‑based modems.
What Microsoft actually did and why it matters
The removal action (what changed)
- Microsoft identified a security problem tied to the Agere modem driver and classified it under CVE‑2025‑24052. Security guidance notes the driver is being removed from supported Windows images.
- The removal was delivered through the October cumulative update for supported Windows releases; once the update is installed, ltmdm64.sys will no longer be provisioned by Windows Update nor available as an in‑box driver on updated systems.
Why Microsoft chose removal over repair
- Kernel‑mode drivers present a high‑risk attack surface due to their ability to run with elevated privileges; when a third‑party driver is discontinued by its original vendor or is so old that upstream remediation is impractical, Microsoft can remove the component to eliminate the attack vector proactively.
- Removing a legacy driver is a pragmatic risk‑reduction step: it closes the vulnerability permanently on updated systems but also withdraws support for dependent hardware—an unavoidable tradeoff when vendor fixes aren’t available or backward compatibility cannot be preserved safely.
Technical summary (what we can and cannot verify)
Confirmed facts
- The driver name in question is ltmdm64.sys (Agere Windows Modem driver), typically located in C:\Windows\System32\drivers on x64 Windows systems. This filename and path appear in multiple vendor/diagnostic references and third‑party driver lists.
- Microsoft’s published guidance states the driver has been removed via the October cumulative update and that fax modem hardware depending on that driver will not function.
Claims that require caution / are currently unverifiable in public feeds
- Detailed technical exploitability mechanics (for example, the exact vulnerability type, exploit vector, or a full public technical write‑up for CVE‑2025‑24052) are not always published in full by Microsoft at the time they update the Security Update Guide. Public exploit details—heap overflow, UAF, IOCTL misuse, or other kernel memory corruption types—may not be verifiable from Microsoft’s high‑level advisory alone, and third‑party coverage is sparse or inconsistent at the time of writing. Treat technical descriptors as vendor‑reported until independent technical analyses are published.
Immediate operational impact — who is affected
- Home users with no modem hardware: no real impact. Most modern systems no longer include analog modem hardware.
- Small businesses that rely on fax‑over‑modem devices connected to a PC: high impact. Fax clients that use a local Agere modem will stop functioning after the update.
- Enterprise environments with legacy telephony infrastructure: moderate to high impact where point‑of‑sale, fax‑back, or embedded systems rely on local modems.
- ISVs and system integrators who packaged products that included Agere soft‑modems: must test, document and provide alternative support paths.
Short‑term mitigations and recommended actions
Administrators and individual users must treat this as both a security and an operational change: the vulnerability is closed on updated systems because the driver is removed, but the removal will break hardware functionality. Follow these pragmatic steps.1) Identify affected systems now
- Search for the driver file on your fleet. PowerShell quick checks:
- To find the driver file on a system:
- Open PowerShell as Administrator.
- Run: Get‑ChildItem -Path C:\Windows\System32\drivers\ltmdm64.sys -ErrorAction SilentlyContinue
- To list installed modem devices and their drivers:
- Get‑PnpDevice -Class Modem | Select‑Object FriendlyName, InstanceId, DriverVersion
- Inventory fax servers, point‑of‑sale terminals, and any Windows images used in manufacturing or field devices for presence of Agere modem drivers. Centralized management tools (SCCM/Intune/MDM) can pull driver and device inventory reports.
2) Decide on update policy for affected systems
- If the machine’s modem is required and alternative connectivity is not available:
- Defer the specific October cumulative update in a controlled manner while you plan a migration; but understand that this deferral leaves the host potentially vulnerable to other patched CVEs included in that cumulative update.
- If the modem is non‑essential:
- Apply the October cumulative update to remove the risk and accept that the modem will cease to function.
3) Replace or remove hardware dependency
- Replace analog/fax modems with supported alternatives:
- Use network‑based fax gateways or cloud fax services (SaaS) to remove direct hardware dependency.
- Purchase USB or PCIe modem hardware explicitly supported by the current Windows release and actively maintained by the vendor (verify driver availability).
- For single‑function legacy devices, consider using a dedicated legacy machine that remains off patched networks and is air‑gapped as necessary—but this is a last‑resort and high‑risk approach, not recommended for production.
4) Update documentation & notify stakeholders
- Notify internal help desks, compliance teams, and affected business units of the removal action.
- Communicate a migration or decommissioning plan for fax workflows and provide a timeline to avoid service disruption.
5) Monitor for follow‑on advisories
- Microsoft sometimes follows a removal action with additional guidance or replacements for specific vendors; keep an eye on official vendor channels and Microsoft’s Security Update Guide for status changes. If Microsoft or the OEM later releases a signed, hardened version of the driver, treat it as a separate update with full testing before deployment.
Practical detection and remediation commands (for administrators)
- Find the driver file and its digital signature:
- Get‑AuthenticodeSignature C:\Windows\System32\drivers\ltmdm64.sys
- Query the loaded driver via SCM:
- sc query ltmdm64
- Enumerate modem class devices:
- Get‑PnpDevice -Class Modem | Format‑Table -AutoSize
- Remove driver package from a Windows image (for offline servicing):
- Use DISM to enumerate drivers: dism /Image:C:\offline /Get-Drivers
- Remove a driver: dism /Image:C:\offline /Remove-Driver /Driver
em*.inf - On endpoints where the hardware will be retired, uninstall device and driver from Device Manager or use pnputil:
- pnputil /delete‑driver oem*.inf /uninstall /force
Long‑term lessons and risk analysis
Strengths of Microsoft’s approach
- Security‑first: Removing an unpatched kernel component eliminates a high‑risk attack surface quickly and reliably for updated systems.
- Practicality: When the original driver vendor is no longer providing compatible updates, removal is often the only responsible action to prevent exploitation.
Risks and downsides
- Operational disruption: Organizations still using legacy fax/modem hardware suffer immediate capability loss.
- Support burden: IT teams must now manage exceptions, migrations, or maintain isolated legacy environments, increasing operational complexity.
- E‑waste and legacy hardware lifecycles: Removal incentivizes hardware replacement, which may have cost and logistical implications, particularly for long‑lived industrial equipment.
Strategic recommendations
- Treat legacy drivers as high‑priority inventory items. Maintain a living inventory of all third‑party kernel drivers and their vendor support status.
- Where business‑critical hardware depends on legacy drivers, plan migrations well in advance and prioritize transitions to network/cloud services that offer modern security postures.
- Use driver‑allowlist/denylist policies and modern endpoint management to control which drivers can be installed in your estate.
Why this matters beyond fax machines
Even though the Agere modem driver supports a seemingly niche function (analog fax/modem), this action is a useful case study in broader platform security management:- It highlights the tension between compatibility and security in a long‑lived ecosystem.
- It demonstrates that removal of risky legacy components — while disruptive — is sometimes the safest path.
- It reinforces the need for organizations to plan for hardware obsolescence and the migration of legacy workflows to modern service models.
Conclusion — recommended checklist
- Inventory: Search for ltmdm64.sys and Agere modem devices across your environment now.
- Triage: Classify systems by business criticality and decide update policy per group.
- Migrate: Plan replacement or cloud alternatives for any remaining fax/modem workflows.
- Communicate: Notify stakeholders and document timelines for decommissioning legacy hardware.
- Harden: Apply October cumulative updates (or later) after you’ve either mitigated or accepted hardware loss; do not keep systems unpatched long‑term as a way to preserve outdated hardware unless absolutely necessary and isolated.
- Monitor: Watch Microsoft’s Security Update Guide and OEM channels for any new guidance, signed drivers, or alternative remediation offers.
Source: MSRC Security Update Guide - Microsoft Security Response Center