SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Glowing security shield over windows pc retiring legacy drivers
#
MDM
#
Risk & Compliance
#
Cybersecurity

Microsoft patches zero-day, kills legacy Windows drivers

Wed, 14th Jan 2026
Author image
By Sofiah Nichole Salivio, News Editor

Microsoft has issued fixes for 114 security vulnerabilities in its first Patch Tuesday update of 2026, including one flaw that the company said attackers already exploit.

The update includes one vulnerability marked as exploited in the wild and two where Microsoft said it knows of public disclosure. Microsoft did not list any critical remote code execution or elevation of privilege vulnerabilities in the Patch Tuesday batch.

Adam Barnett, Lead Software Engineer at Rapid7, said the exploited issue sits in Windows Desktop Window Manager.

"The Windows Desktop Windows Manager (DWM) is a high value target for vulnerability researchers and threat actors, and CVE-2026-20805 is the latest in an occasional series of exploited-in-the-wild zero-day vulnerabilities to have emerged from it," said Adam Barnett, Lead Software Engineer, Rapid7.

Exploited DWM flaw

Desktop Window Manager controls how Windows draws content to the display. Barnett said that reach makes it an attractive target because many processes interact with the desktop.

"DWM is responsible for drawing everything on the display of a Windows system, which means it offers an enticing combination of privileged access and universal availability, since just about any process might need to display something," said Barnett.

Microsoft assigned CVE-2026-20805 a CVSS v3 score of 5.5, which rates as medium severity. Barnett said the scoring could understate the importance of information disclosure issues.

"The CVSS v3 score of 5.5 evaluates to medium severity, which wouldn't typically scream "patch me first", but Microsoft evaluates CVE-2026-20805 as important on their proprietary severity scale, and information disclosure vulnerabilities by their very nature tend to end up with lower CVSS scores, since there's no direct impact on integrity or availability," said Barnett.

He also said Microsoft rarely marks information disclosure vulnerabilities as exploited in the wild. He said that pattern suggests such flaws may appear as part of a broader chain.

"Also, Microsoft information disclosure vulnerabilities very rarely end up marked as exploited in the wild; any that do are very likely to be part of a longer exploit chain," said Barnett.

Driver removals

Barnett also highlighted changes involving legacy modem drivers included with Windows. He pointed to an earlier case where Microsoft removed a driver after it was implicated in an exploited elevation of privilege vulnerability.

"Back in October 2025, Microsoft removed a specific modem driver ltmdm64.sys from all versions of Windows, after it was implicated in CVE-2025-24052, an exploited-in-the-wild elevation of privilege vulnerability," said Barnett.

In the latest updates, Barnett said Microsoft removed two additional modem drivers due to a related elevation of privilege concern. He said Microsoft knows of functional exploit code for CVE-2023-31096, which was originally published via MITRE more than two years ago.

"Today sees another couple of modem drivers removed from Windows for a broadly similar reason: Microsoft is aware of functional exploit code for an elevation of privilege vulnerability in a very similar modem driver, tracked as CVE-2023-31096," said Barnett.

Barnett said Windows patches remove agrsm64.sys and agrsm.sys. He said the drivers came from the same third party and remained in Windows for decades.

"Today's Windows patches remove agrsm64.sys and agrsm.sys. All three modem drivers were originally developed by the same now-defunct third party, and have been included in Windows for decades," said Barnett.

He said most users will not notice the removals. He said the drivers could still appear in some environments.

"These driver removals will pass unnoticed for most people, but you might find active modems still in a few contexts, including some industrial control systems," said Barnett.

Barnett raised questions about how many similar components remain present across Windows installations and how long they will remain attractive to attackers. He also stressed that systems can remain exposed even without physical modem hardware.

"Two questions remain: how many more legacy modem drivers are still present on a fully-patched Windows asset, and how many more elevation-to-SYSTEM vulnerabilities will emerge from them before Microsoft cuts off attackers who have been enjoying living off the land[line] by exploiting an entire class of dusty old device drivers?" said Barnett.

"In case you were wondering, there is no need to have a modem connected; the mere presence of the driver is enough to render an asset vulnerable," said Barnett.

Secure Boot

The Patch Tuesday disclosures also include a Windows Secure Boot issue tracked as CVE-2026-21265. Barnett described it as a critical security feature bypass vulnerability and linked it to the ongoing transition away from older Microsoft root certificates used across the Secure Boot ecosystem.

"Today sees the publication of CVE-2026-21265, which is a critical Security Feature Bypass vulnerability affecting Windows Secure Boot," said Barnett.

He said Microsoft issued replacement certificates in 2023 and referenced earlier remediation steps that followed a bootkit campaign.

"Microsoft issued replacement certificates back in 2023, alongside CVE-2023-24932 which covered relevant Windows patches as well as subsequent steps to remediate the Secure Boot bypass exploited by the BlackLotus bootkit," said Barnett.

Barnett said the 2011 certificates will expire later this year. He said devices without the newer 2023 certificates will not receive Secure Boot security fixes after that point.

"Once the ancient 2011 certificates expire later this year, Windows devices that do not have the new 2023 certificates can no longer receive Secure Boot security fixes," said Barnett.

He added that organisations need to plan carefully when updating bootloaders and BIOS firmware because errors can leave systems unable to start.

"When updating the bootloader and BIOS, it is essential to prepare fully ahead of time for the specific OS and BIOS combination you're working with, since incorrect remediation steps can lead to an unbootable system," said Barnett.

Product support

Alongside security updates, Microsoft also reached support milestones for some products. Barnett noted the end of support for a Visual Studio release line and for an older Dynamics CRM version.

"Visual Studio 2022 LTSC 17.10 reaches end of support today, so now is a good time to upgrade to a newer minor version. Dynamics CRM 2016 (also known as Dynamics 365) also reaches end of life. There are no other significant Microsoft product lifecycle changes this month," said Barnett.

Related stories
Macquarie boosts loan to fund Sydney AI data centre
Datadog opens DASH 2026, spotlighting AI in production
Rubrik launches Agent Cloud to govern enterprise AI
12Port unveils AI session intelligence for PAM security
DryRun Security adds Andrew Peterson to drive AI shift

Top stories

Internal auditors fear AI fraud but lack readiness
Most enterprises unprepared for HPE’s virtualisation reset
Why Australian superannuation funds need to prioritise security for their customers with strong MFA
Milestone chooses Australia to launch 2026 MXD series
CrowdStrike Falcon now available via Microsoft Marketplace