Microsoft’s Transition from Windows 10: A Security Perspective
The recent cessation of support for Windows 10 coincided with a significant Patch Tuesday update, unveiling several zero-day vulnerabilities that pose a risk to the aging operating system. Among these vulnerabilities is CVE-2025-24990, which pertains to a legacy device driver that Microsoft has completely removed from Windows. Ben McCarthy, the lead cyber security engineer at Immersive, emphasized the inherent security risks associated with retaining outdated components within modern operating systems.
“The active exploitation of CVE-2025-24990 in the Agere Modem driver (ltmdm64.sys) highlights the vulnerabilities that legacy drivers introduce,” McCarthy noted. He pointed out that this driver, which supports hardware from the late 1990s and early 2000s, has not evolved alongside current secure development practices. “Kernel-mode drivers operate with the highest system privileges, making them prime targets for attackers seeking to escalate their access,” he added.
According to McCarthy, threat actors are leveraging this vulnerability as a secondary stage in their operations. “Typically, the attack chain begins with the actor establishing an initial foothold on a target system through common tactics such as phishing campaigns, credential theft, or exploiting other vulnerabilities in public-facing applications,” he explained.
Microsoft’s decision to eliminate the driver entirely, rather than issuing a patch, reflects a strategic response to the risks associated with modifying unsupported, third-party legacy code. “Patching such components can be unreliable, potentially leading to system instability or failing to address the root cause of the vulnerability,” McCarthy stated. By removing the driver from the Windows operating system, Microsoft has prioritized minimizing the attack surface over maintaining backward compatibility.
“By eliminating the vulnerable and obsolete component, the potential for this specific exploit is effectively zero,” McCarthy remarked. He further asserted that the security risk posed by the driver was deemed greater than the necessity to continue supporting the outdated hardware it serves. This approach underscores the importance of lifecycle management in an effective security strategy, where removal often proves to be a more definitive and secure solution than patching.
Another zero-day flaw addressed in the latest update pertains to the Trusted Platform Module (TPM) from the Trusted Computing Group (TCG). Adam Barnett, lead software engineer at Rapid7, highlighted that the CVE-2025-2884 flaw relates to the TPM 2.0 reference implementation, which is typically replicated in downstream implementations by manufacturers. “Microsoft is treating this as a zero-day, despite the curious circumstance that it is a founding member of TCG and likely had prior knowledge of the discovery,” he noted.
While Windows 11 and newer versions of Windows Server receive patches, administrators of older Windows products, such as Windows 10 and Server 2019, are reminded implicitly that Microsoft strongly encourages upgrades. Among the patches classified as “critical,” one stands out due to its profound implications, prompting some security experts to recommend immediate action from IT departments.
McCarthy raised concerns about the CVE-2025-49708 critical vulnerability in the Microsoft Graphics Component, which, although categorized as an “elevation of privilege” issue, poses severe real-world consequences. “This flaw represents a full virtual machine (VM) escape,” he explained. With a CVSS score of 9.9, it fundamentally undermines the security boundary between a guest virtual machine and its host operating system.
He urged organizations to prioritize patching this vulnerability, as it invalidates the core security promise of virtualization. “A successful exploit allows an attacker with even low-privilege access to a single, non-critical guest VM to break out and execute code with system privileges on the underlying host server,” McCarthy warned. This breach of isolation enables the attacker to access, manipulate, or destroy data across all other VMs operating on the same host, including mission-critical domain controllers, databases, and production applications.
