What happened

CISA added CVE-2025-24990 to the Known Exploited Vulnerabilities (KEV) catalog, signaling confirmed exploitation in the wild CISA KEV. The flaw is an untrusted pointer dereference in the Microsoft Windows Agere Modem Driver that enables local privilege escalation to administrator NVD CVE-2025-24990. The entry names the issue “Microsoft Windows Untrusted Pointer Dereference Vulnerability,” aligning with CWE-822 classification MITRE CVE record.

Per CISA’s KEV entry, the vulnerability was added on 2025-10-14 with a remediation due date of 2025-11-04 for federal agencies, and the required action is to apply vendor mitigations or discontinue use if none exist CISA KEV. The KEV listing explicitly flags this CVE as exploited, which is why it appears in the catalog CISA KEV.

Why it matters

Local privilege escalation (LPE) is the pivot from initial foothold to full administrative control. This bug’s untrusted pointer dereference allows an attacker to escalate to administrator on impacted Windows systems NVD CVE-2025-24990. CISA’s inclusion in KEV means exploitation is observed in the wild, not theoretical, and remediation is time-bound for government networks CISA KEV. The vulnerability maps to CWE-822, a well-known class where code dereferences pointers from untrusted sources, often enabling control over privileged memory operations MITRE CWE-822.

In practice, once an adversary lands on a Windows host through phishing, drive-by, or a living-off-the-land step, a working LPE becomes the reliability booster for persistence and lateral movement. When KEV says “exploited,” defenders should assume opportunistic and targeted actors are already folding this into post-exploitation chains CISA KEV.

Technical detail

CVE-2025-24990 is an untrusted pointer dereference in the Windows Agere Modem Driver NVD CVE-2025-24990. In CWE-822 scenarios, privileged code follows a pointer sourced from an untrusted context without sufficient validation, leading to memory access in a privileged context that the attacker can influence MITRE CWE-822. That pattern makes LPE viable because the dereference occurs inside a privileged component rather than in user space MITRE CWE-822.

The core risk mechanics of CWE-822 typically include:

• Unvalidated pointer or buffer address accepted from a less-trusted caller, then dereferenced in a privileged routine MITRE CWE-822.
• Insufficient boundary, provenance, or lifetime checks on the pointer prior to dereference, leading to unintended read/write or control flow impacts MITRE CWE-822.
• Result: attacker-controlled influence over a privileged operation, enabling escalation to administrator as reflected by the CVE description NVD CVE-2025-24990.

CISA’s KEV entry confirms real-world exploitation and sets a remediation deadline for agencies, indicating confidence that threat actors can and do reach admin privileges via this flaw CISA KEV. The MITRE CVE record tracks the identifier and vendor coordination, corroborating the vulnerability’s scope in Microsoft Windows MITRE CVE record.

Defense

• Patch/mitigate now: CISA directs organizations to apply vendor mitigations or discontinue use if none are available, and to follow applicable BOD 22-01 guidance timelines CISA KEV.
• Prioritize exposure reduction: Treat any Windows fleet with legacy or optional drivers as higher risk when a driver-linked CWE-822 is in KEV; the CVE confirms admin escalation potential NVD CVE-2025-24990.
• Compensating controls: Use least-privilege on endpoints, application allowlisting, and rapid isolation of endpoints that exhibit sudden privilege changes following code execution events. KEV status implies exploitation is active and opportunistic CISA KEV.
• Validate incident response readiness: Assume post-exploitation chains can leverage this LPE and rehearse containment steps focusing on privilege escalation detection and rollback, aligned to the CWE-822 risk model MITRE CWE-822.

Lyrie Verdict

CVE-2025-24990 is an in-the-wild Windows LPE targeting a driver-class weakness, so human-in-the-loop response is too slow once an adversary has a foothold CISA KEV. Lyrie treats KEV-designated LPEs as priority signals and autonomously hunts for privilege-boundary jumps in process lineages immediately after device/driver interactions, suppressing the escalation path at machine speed rather than waiting for post-event triage. Our position: close the LPE window automatically; let analysts validate after containment NVD CVE-2025-24990.