Patch Tuesday: Windows 10 end of life pain for IT departments
Dmitry Nikolaev – stock.adobe.co
Windows 10 is no longer supported, but that does not mean it is not impacted by the latest Patch Tuesday update
The day Microsoft officially ended support for Windows 10 has coincided with a Patch Tuesday update, with several zero-day flaws that attackers could exploit to target the older Windows operating system.
Among these is CVE-2025-24990, which covers a legacy device driver that Microsoft has removed entirely from Windows. “The active exploitation of CVE-2025-24990 in the Agere Modem driver (ltmdm64.sys) shows the security risks of maintaining legacy components within modern operating systems,” warned Ben McCarthy, lead cyber security engineer at Immersive.
“This driver, which supports hardware from the late 1990s and early 2000s, predates current secure development practices and has remained largely unchanged for years,” he said. “Kernel-mode drivers operate with the highest system privileges, making them a primary target for attackers seeking to escalate their access.”
McCarthy said threat actors are using this vulnerability as a second stage for their operations. “The attack chain typically begins with the actor gaining an initial foothold on a target system through common methods like a phishing campaign, credential theft, or by exploiting a different vulnerability in a public-facing application,” he said.
McCarthy added that Microsoft’s decision to remove the driver entirely, rather than issue a patch, is a direct response to the risks associated with modifying unsupported, third-party legacy code. “Attempts to patch such a component can be unreliable, potentially introducing system instability or failing to address the root cause of the vulnerability completely,” he said.
In removing the driver from the Windows operating system, McCarthy said Microsoft has prioritised reducing the attack surface over absolute backward compatibility. “By removing the vulnerable and obsolete component, the potential for this specific exploit is zero,” he said. “The security risk presented by the driver was determined to be greater than the requirement to continue supporting the outdated hardware it serves.”
McCarthy said this approach demonstrates that an effective security strategy must include the lifecycle management of old code, where removal is often more definitive and secure than patching.
Another zero-day flaw that is being patched concerns the Trusted Platform Module from the Trusted Computing Group (TCG). Adam Barnett, lead software engineer at Rapid7, noted that the CVE-2025-2884 flaw concerns TPM 2.0 reference implementation, which, under normal circumstances, is likely to be replicated in the downstream implementation by each manufacturer.
“Microsoft is treating this as a zero-day despite the curious circumstance that Microsoft is a founder member of TCG, and thus presumably privy to the discovery before its publication,” he said. “Windows 11 and newer versions of Windows Server receive patches. In place of patches, admins for older Windows products such as Windows 10 and Server 2019 receive another implicit reminder that Microsoft would strongly prefer that everyone upgrade.”
One of the patches classified as “critical” has such a profound impact that some security experts advise IT departments to patch immediately. McCarthy warned that the CVE-2025-49708 critical vulnerability in the Microsoft Graphics Component, although classed as an “elevation of privilege” security issue, has a severe real-world impact.
“It is a full virtual machine [VM] escape,” he said. “This flaw, with a CVSS score of 9.9, completely shatters the security boundary between a guest virtual machine and its host operating system.”
McCarthy urged organisations to prioritise patching this vulnerability because it invalidates the core security promise of virtualisation.
“A successful exploit means an attacker who gains even low-privilege access to a single, non-critical guest VM can break out and execute code with system privileges directly on the underlying host server,” he said. “This failure of isolation means the attacker can then access, manipulate or destroy data on every other VM running on that same host, including mission-critical domain controllers, databases or production applications.”
