Microsoft’s Transition from Windows 10: Security Implications and Zero-Day Vulnerabilities
The conclusion of support for Windows 10 has arrived with a significant Patch Tuesday update, revealing several zero-day vulnerabilities that pose risks to the aging operating system. Among these vulnerabilities is CVE-2025-24990, which pertains to a legacy device driver that Microsoft has completely removed from Windows. Ben McCarthy, lead cyber security engineer at Immersive, highlighted the security challenges associated with retaining outdated components in modern systems.
“The active exploitation of CVE-2025-24990 in the Agere Modem driver (ltmdm64.sys) underscores the dangers of legacy code,” McCarthy noted. He elaborated that this driver, which supports hardware from the late 1990s and early 2000s, has not evolved in line with contemporary secure development practices. “Kernel-mode drivers operate with the highest system privileges, making them prime targets for attackers aiming to escalate their access,” he explained.
According to McCarthy, threat actors are leveraging this vulnerability as part of a broader attack strategy. “Typically, the attack chain begins with the actor establishing an initial foothold on a target system through methods such as phishing, credential theft, or exploiting vulnerabilities in public-facing applications,” he said.
Microsoft’s decision to eliminate the driver instead of issuing a patch reflects a proactive stance against the risks tied to modifying unsupported, third-party legacy code. McCarthy emphasized that attempts to patch such components can be unreliable, potentially leading to system instability or failing to address the core issue entirely. “By removing the vulnerable and obsolete component, the potential for this specific exploit is zero,” he asserted. “The security risk posed by the driver was deemed more significant than the need to support outdated hardware.”
This approach illustrates that an effective security strategy must encompass the lifecycle management of older code, where removal often proves to be a more secure solution than patching.
Another zero-day vulnerability being addressed involves the Trusted Platform Module (TPM) from the Trusted Computing Group (TCG). Adam Barnett, lead software engineer at Rapid7, pointed out that the CVE-2025-2884 flaw pertains to the TPM 2.0 reference implementation, which is typically replicated by manufacturers in their downstream implementations. “Microsoft is treating this as a zero-day, despite the interesting fact that they are a founding member of TCG and likely had prior knowledge of the discovery,” he remarked. While Windows 11 and newer versions of Windows Server receive patches, administrators of older products like Windows 10 and Server 2019 are reminded of Microsoft’s preference for upgrades.
Among the critical patches released, one vulnerability, CVE-2025-49708, has drawn particular attention from security experts. McCarthy warned that this flaw in the Microsoft Graphics Component, categorized as an “elevation of privilege” security issue, has severe implications. “It represents a full virtual machine escape,” he stated, noting its CVSS score of 9.9, which indicates a significant breach of security boundaries between a guest virtual machine and its host operating system.
McCarthy urged organizations to prioritize addressing this vulnerability, as it undermines the fundamental security assurances of virtualization. “A successful exploit allows an attacker with low-privilege access to a single, non-critical guest VM to escape and execute code with system privileges on the host server,” he explained. “This breakdown of isolation enables the attacker to access, manipulate, or destroy data across all other VMs running on that host, including critical domain controllers, databases, or production applications.”