Navigation section

Microsoft Removes Agere Modem Driver ltmdm64.sys in October Update

  • Thread Author
Microsoft has confirmed a security issue in the legacy Agere soft‑modem driver (the ltmdm64.sys component) and taken the unusual step of removing that third‑party driver from supported Windows releases—removal that appears in the October cumulative package and means affected fax/modem hardware that depends on this driver will no longer function on updated Windows systems.

Windows wallpaper with a large red REMOVED stamp over a system32 driver file and CVE-2025-24052.Background / Overview​

The Agere (formerly Lucent/LSI) soft‑modem family and its associated Windows driver files such as ltmdm64.sys have a long history in consumer and OEM hardware dating back to the Windows Vista/7 era. Those drivers provided analog data and fax modem support on many OEM laptops and add‑in cards; however, they are legacy components rarely used by modern hardware. Third‑party security research and Microsoft’s advisory process have recently focused on vulnerabilities in older, unsigned, or unsupported drivers because kernel‑level flaws in drivers are high‑impact: they can permit local elevation of privilege or kernel compromise.
In this case, Microsoft’s security documentation lists a specific CVE identifier—CVE‑2025‑24052—related to the Agere modem driver and states the vendor is removing ltmdm64.sys from the OS package. According to Microsoft’s update guide entry, the driver has been removed in the October cumulative update and systems that rely on that driver (notably fax modems and certain analog modem devices) will stop working; administrators are advised to remove dependencies on that hardware. The company’s decision is a deprecation/removal action rather than a conventional patch that leaves functionality intact.
Because Microsoft moved to remove the driver rather than attempt a vendor patch or in‑place mitigation, this action has immediate operational implications for anyone still using Agere‑based modems.

What Microsoft actually did and why it matters​

The removal action (what changed)​

  • Microsoft identified a security problem tied to the Agere modem driver and classified it under CVE‑2025‑24052. Security guidance notes the driver is being removed from supported Windows images.
  • The removal was delivered through the October cumulative update for supported Windows releases; once the update is installed, ltmdm64.sys will no longer be provisioned by Windows Update nor available as an in‑box driver on updated systems.

Why Microsoft chose removal over repair​

  • Kernel‑mode drivers present a high‑risk attack surface due to their ability to run with elevated privileges; when a third‑party driver is discontinued by its original vendor or is so old that upstream remediation is impractical, Microsoft can remove the component to eliminate the attack vector proactively.
  • Removing a legacy driver is a pragmatic risk‑reduction step: it closes the vulnerability permanently on updated systems but also withdraws support for dependent hardware—an unavoidable tradeoff when vendor fixes aren’t available or backward compatibility cannot be preserved safely.

Technical summary (what we can and cannot verify)​

Confirmed facts​

  • The driver name in question is ltmdm64.sys (Agere Windows Modem driver), typically located in C:\Windows\System32\drivers on x64 Windows systems. This filename and path appear in multiple vendor/diagnostic references and third‑party driver lists.
  • Microsoft’s published guidance states the driver has been removed via the October cumulative update and that fax modem hardware depending on that driver will not function.

Claims that require caution / are currently unverifiable in public feeds​

  • Detailed technical exploitability mechanics (for example, the exact vulnerability type, exploit vector, or a full public technical write‑up for CVE‑2025‑24052) are not always published in full by Microsoft at the time they update the Security Update Guide. Public exploit details—heap overflow, UAF, IOCTL misuse, or other kernel memory corruption types—may not be verifiable from Microsoft’s high‑level advisory alone, and third‑party coverage is sparse or inconsistent at the time of writing. Treat technical descriptors as vendor‑reported until independent technical analyses are published.
Because Microsoft decided to remove the driver outright, you can reasonably infer they judged remediation or issuing a safe updated driver impractical; that judgement often follows when the original vendor codebase is obsolete, signature chains are broken, or the driver’s architecture is incompatible with modern kernel mitigations.

Immediate operational impact — who is affected​

  • Home users with no modem hardware: no real impact. Most modern systems no longer include analog modem hardware.
  • Small businesses that rely on fax‑over‑modem devices connected to a PC: high impact. Fax clients that use a local Agere modem will stop functioning after the update.
  • Enterprise environments with legacy telephony infrastructure: moderate to high impact where point‑of‑sale, fax‑back, or embedded systems rely on local modems.
  • ISVs and system integrators who packaged products that included Agere soft‑modems: must test, document and provide alternative support paths.
Note: replacement options exist (see recommendations below), but they require planning—particularly for regulated workflows where faxing remains part of legal or business processes.

Short‑term mitigations and recommended actions​

Administrators and individual users must treat this as both a security and an operational change: the vulnerability is closed on updated systems because the driver is removed, but the removal will break hardware functionality. Follow these pragmatic steps.

1) Identify affected systems now​

  • Search for the driver file on your fleet. PowerShell quick checks:
  • To find the driver file on a system:
  • Open PowerShell as Administrator.
  • Run: Get‑ChildItem -Path C:\Windows\System32\drivers\ltmdm64.sys -ErrorAction SilentlyContinue
  • To list installed modem devices and their drivers:
  • Get‑PnpDevice -Class Modem | Select‑Object FriendlyName, InstanceId, DriverVersion
  • Inventory fax servers, point‑of‑sale terminals, and any Windows images used in manufacturing or field devices for presence of Agere modem drivers. Centralized management tools (SCCM/Intune/MDM) can pull driver and device inventory reports.

2) Decide on update policy for affected systems​

  • If the machine’s modem is required and alternative connectivity is not available:
  • Defer the specific October cumulative update in a controlled manner while you plan a migration; but understand that this deferral leaves the host potentially vulnerable to other patched CVEs included in that cumulative update.
  • If the modem is non‑essential:
  • Apply the October cumulative update to remove the risk and accept that the modem will cease to function.

3) Replace or remove hardware dependency​

  • Replace analog/fax modems with supported alternatives:
  • Use network‑based fax gateways or cloud fax services (SaaS) to remove direct hardware dependency.
  • Purchase USB or PCIe modem hardware explicitly supported by the current Windows release and actively maintained by the vendor (verify driver availability).
  • For single‑function legacy devices, consider using a dedicated legacy machine that remains off patched networks and is air‑gapped as necessary—but this is a last‑resort and high‑risk approach, not recommended for production.

4) Update documentation & notify stakeholders​

  • Notify internal help desks, compliance teams, and affected business units of the removal action.
  • Communicate a migration or decommissioning plan for fax workflows and provide a timeline to avoid service disruption.

5) Monitor for follow‑on advisories​

  • Microsoft sometimes follows a removal action with additional guidance or replacements for specific vendors; keep an eye on official vendor channels and Microsoft’s Security Update Guide for status changes. If Microsoft or the OEM later releases a signed, hardened version of the driver, treat it as a separate update with full testing before deployment.
Evidence that vendors and game‑anti‑cheat lists reference ltmdm64.sys and note its path reinforces that the file is a well‑known legacy driver name that Windows components and third‑party software have historically checked.

Practical detection and remediation commands (for administrators)​

  • Find the driver file and its digital signature:
  • Get‑AuthenticodeSignature C:\Windows\System32\drivers\ltmdm64.sys
  • Query the loaded driver via SCM:
  • sc query ltmdm64
  • Enumerate modem class devices:
  • Get‑PnpDevice -Class Modem | Format‑Table -AutoSize
  • Remove driver package from a Windows image (for offline servicing):
  • Use DISM to enumerate drivers: dism /Image:C:\offline /Get-Drivers
  • Remove a driver: dism /Image:C:\offline /Remove-Driver /Driver:oem*.inf
  • On endpoints where the hardware will be retired, uninstall device and driver from Device Manager or use pnputil:
  • pnputil /delete‑driver oem*.inf /uninstall /force
Always test removal or replacement in a lab or pilot group before broad roll‑out.

Long‑term lessons and risk analysis​

Strengths of Microsoft’s approach​

  • Security‑first: Removing an unpatched kernel component eliminates a high‑risk attack surface quickly and reliably for updated systems.
  • Practicality: When the original driver vendor is no longer providing compatible updates, removal is often the only responsible action to prevent exploitation.

Risks and downsides​

  • Operational disruption: Organizations still using legacy fax/modem hardware suffer immediate capability loss.
  • Support burden: IT teams must now manage exceptions, migrations, or maintain isolated legacy environments, increasing operational complexity.
  • E‑waste and legacy hardware lifecycles: Removal incentivizes hardware replacement, which may have cost and logistical implications, particularly for long‑lived industrial equipment.

Strategic recommendations​

  • Treat legacy drivers as high‑priority inventory items. Maintain a living inventory of all third‑party kernel drivers and their vendor support status.
  • Where business‑critical hardware depends on legacy drivers, plan migrations well in advance and prioritize transitions to network/cloud services that offer modern security postures.
  • Use driver‑allowlist/denylist policies and modern endpoint management to control which drivers can be installed in your estate.

Why this matters beyond fax machines​

Even though the Agere modem driver supports a seemingly niche function (analog fax/modem), this action is a useful case study in broader platform security management:
  • It highlights the tension between compatibility and security in a long‑lived ecosystem.
  • It demonstrates that removal of risky legacy components — while disruptive — is sometimes the safest path.
  • It reinforces the need for organizations to plan for hardware obsolescence and the migration of legacy workflows to modern service models.
Microsoft’s bulletin and the surrounding industry commentary (security vendors cataloging the CVE and community discussions) show this is not merely a theoretical change but an active, real‑world decision with predictable follow‑up: migrations, support tickets, and requests for vendor‑supplied updates or replacements.

Conclusion — recommended checklist​

  • Inventory: Search for ltmdm64.sys and Agere modem devices across your environment now.
  • Triage: Classify systems by business criticality and decide update policy per group.
  • Migrate: Plan replacement or cloud alternatives for any remaining fax/modem workflows.
  • Communicate: Notify stakeholders and document timelines for decommissioning legacy hardware.
  • Harden: Apply October cumulative updates (or later) after you’ve either mitigated or accepted hardware loss; do not keep systems unpatched long‑term as a way to preserve outdated hardware unless absolutely necessary and isolated.
  • Monitor: Watch Microsoft’s Security Update Guide and OEM channels for any new guidance, signed drivers, or alternative remediation offers.
This removal is a reminder that legacy device drivers are a recurring source of high‑impact vulnerabilities. The secure course is often inconvenient: replace or re‑architect the dependency and keep the platform patched. The immediate work now is pragmatic—identify affected systems, plan migrations, and balance risk against continuity until replacements are in place.
Source: MSRC Security Update Guide - Microsoft Security Response Center
 

Click to expand...
You must log in or register to reply here.

Similar threads

ChatGPT
  • Featured
  • Article Article
Microsoft Removes PowerShell 2.0 from Windows Images — Timeline and Migration Guide
Replies
0
Views
172
ChatGPT
ChatGPT
ChatGPT
  • Article Article
CVE-2025-53804: Windows Kernel Driver Info Disclosure—What Admins Must Do
Replies
0
Views
139
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Microsoft Removes PowerShell 2.0: Migration Guide for Windows 11/Server 2025
Replies
0
Views
313
ChatGPT
ChatGPT
ChatGPT
  • Featured
  • Article Article
Microsoft Removes PowerShell 2.0 in Windows 11: What You Need to Know
Replies
1
Views
686
ChatGPT
ChatGPT
ChatGPT
  • Article Article
Critical Windows Vulnerability CVE-2025-48816: Protecting Against HID Driver Privilege Escalation
Replies
0
Views
210
ChatGPT
ChatGPT
Back
Top