Windows machines are getting exploited because a legacy fax modem driver has been installed in every operating system since 2006.

That’s one of the takeaways from October Patch Tuesday monster release of 177 security fixes from Microsoft – which includes patches for three vulnerabilities listed as under active attack in the wild. 

Also highly notable is a CVSS 9.8, pre-auth RCE bug in the Windows Server Update Service allocated CVE-2025-59287. Redmond marks this as “exploitation more likely”.

Whilst Microsoft has deprecated WSUS in a bid to drive users to cloud-based server management systems, it is still supported in production deployments and the bug notably affects recent releases like Windows Server 2025 as well as earlier operating system versions. 

October Patch Tuesday: What’s being exploited?

Among the new known-exploited bugs patched by Microsoft is CVE-2025-24990, a CVSS 7.8 EOP vulnerability that stems from its decision to bake a legacy modem driver into every OS. 

“Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems,” its patch notes said – showing that the driver is in systems as recent as Windows 11 and Server 2025.

The ltmdm64.sys driver “has been removed in the October cumulative update” Microsoft added, saying that it recommends “removing any existing dependencies on this hardware.”

Throw out those fax machines, people. 

See also: Microsoft starts rotating keys again, continues sweeping security overhaul


CVE-2025-24990 was credited to a security researcher going by the handle @shitsecure who told The Stack by DM “it’s a driver from 2006, never changed… I think it was historically shipped with everything, although that doesn’t make sense at all.”

Ben McCarthy, from security firm Immersive, commented of the bug that it “shows the security risks of maintaining legacy components within modern operating systems. In attacks, threat actors are using this vulnerability as a second stage for their operations."

He added: "This driver, which supports hardware from the late 1990s and early 2000s, predates current secure development practices and has remained largely unchanged for years. Kernel-mode drivers operate with the highest system privileges, making them a primary target for attackers seeking to escalate their access.”

Racman EOP exploited

Also listed as under active attack were Windows Remote Access Connection Manager EOP bug CVE-2025-59230 (CVSS 7.8). This software is used to manage remote access connections and the bug gives a low-privileged attacker SYSTEM privileges; eurgh.

Distinctly more esoterically, is CVE-2025-47827; a Secure Boot bypass in the open-source IGEL OS that impacts all supported versions of Windows. We’re a touch confused by that one; if you know more about exploitation of this oddity, spill the beans.

The ZDI’s Dustin Childs noted of the earlier-mentioned WSUS bug meanwhile that it “allows remote, unauthenticated attackers to exploit code with elevated privileges without user interaction. That means this is wormable between affected WSUS servers. Since WSUS remains a critical piece of anyone’s infrastructure, it’s an attractive target ... If you use WSUS, don’t hesitate to test and deploy this update quickly,” he added. 

  

The link has been copied!