Micropatches Released for Windows Disk Cleanup Tool Elevation of Privilege Vulnerability (CVE-2025-21420)

 

 

February 2025 Windows Updates brought a patch for CVE-2025-21420, a local privilege elevation vulnerability allowing a local attacker to execute malicious code in another user's existing session using said user's identity. Microsoft's advisory does not reveal who reported this vulnerability to Microsoft (or whether they had discovered it internally).

 

The Vulnerability 

Security researcher moiz reverse engineered Microsoft's patch for cleanmgr.exe in February's Windows updates and found that Microsoft had added the ProcessRedirectionTrustPolicy mitigation (a.k.a. Redirection Guard) to the process, which causes the process to ignore symbolic links created by low-privileged users. Based on this information, moiz monitored the behavior of the Disk Cleanup tool when launched and found that it was vulnerable to symbolic link redirection. Placing a symbolic link from a certain file that a low-privileged user can create, to another file that can only be deleted by a high-privileged user, can result in deletion of the latter file when Disk Cleanup's scheduled task is launched. Moiz gracefully shared their analysis and POC.

Arbitrary file deletion can be turned into arbitrary code execution as Local System, as was first shown by Jonas Lykkegård in 2020 using Windows Error Reporting Service, and subsequently also by Abdelhamid Naceri using Windows Installer.

So the low-privileged user just prepares the right files, sets symbolic links, and starts the scheduled task? Hmm, strange, because Disk Cleanup scheduled task is set to run as "Users", not some privileged account like "Local System". One would expect it to be launched with attacker's own identity, which would not result in file deletion due to permissions on the target file. And the fact that the task is set to "Run with highest privileges" doesn't help either because that would only ensure that if a non-elevated admin were to launch it, it would run as elevated admin - but the attacker cannot be elevated.

So why does the attack work at all?

It turns out that - cue raised eyebrows - that launching the Disk Cleanup scheduled task as any logged-in user not only gets it launched in said user's session - but rather in all existing sessions on the computer, and just as if those other users had launched it themselves! This means that if an administrator is logged in to the computer, and then the attacker connects to it via remote desktop, the attacker will be able to launch Disk Cleanup scheduled task in administrator's session. In that session, vulnerable cleanmgr.exe would be executed, auto-elevated, and would follow attacker's symbolic links to eventually delete the system file attacker wanted to delete.

Needless to say, such attack is even easier to imagine on a Windows Server with terminal services where users are meant to login at the same time.

 

Microsoft's Patch

As moiz had noticed, Microsoft added the ProcessRedirectionTrustPolicy mitigation to cleanmgr.exe to prevent it from following low-privileged users' symbolic links. 

 

Our Patch

While we could do the same as Microsoft, Redirection Guard is not available on all affected security-adopted Windows versions, so we wrote a patch that checks the path of the to-be-deleted file and determines if it is a symbolic link. If it isn't, the patch allows the file to be deleted, otherwise it blocks the deletion. This approach is more rigorous that Microsoft's (with their patch, administrator's symlinks would be accepted) but we believe that there aren't any valid scenarios where administrator's links would be used in this context - and Microsoft just took the easy road by adding the mitigation to the process. (Which was the smart thing to do for them.)

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

1. Windows 11 v21H2 - fully updated
2. Windows 10 v21H2 - fully updated
3. Windows 10 v21H1 - fully updated
4. Windows 10 v20H2 - fully updated
5. Windows 10 v2004 - fully updated
6. Windows 10 v1909 - fully updated
7. Windows 10 v1809 - fully updated
8. Windows 10 v1803 - fully updated

Note that Windows 7, Server 2008 R2, Server 2012 and Server 2012 R2 are not affected by this issue.

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We'd like to thank moiz for sharing their finding and their POC, which allowed us to reproduce the issue and create patches for our users.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

Micropatches Released for "WSPCoerce" Coerced Authentication via Windows Search Protocol (NO CVE/WONTFIX)

 

 

Coerced authentication is any method that allows an attacker to force a target system to authenticate against attacker's computer and reveal its credentials in the process. The most useful form of coerced authentication on Windows is arguably one that forces a remote Windows computer to send its machine (system) account's NTLM credentials to attacker, which can then be relayed to another computer.

Microsoft does not consider "coerced authentication" methods vulnerabilities worth fixing and rather suggests several options for mitigating attacks, including disabling NTLM. For various, mostly legacy-related reasons, many large organizations can't implement these options.

That is why we at 0patch have decided to provide our own patches for known coerced authentication issues so that both legacy Windows systems like Windows 7 and Server 2008 R2 and the latest Windows 11 and Server 2025 that are using NTLM get to be properly protected. So far we have been providing (and dutifully porting to new versions of executable files) patches for these coerced authentication issues:

1. PetitPotam
2. PrinterBug/SpoolSample and
3. DFSCoerce.

We are now adding a fourth coerced authentication issue to the list: "WSPCoerce". WSPCoerce was discovered by Simon Lemire who also published a WSPCoerce proof-of-concept tool. The tool sends a request to the Windows Search Service running by default on any Windows workstation (but not on servers), causing it to read a shared folder on attacker's computer - revealing machine account's NTLM credentials in the process.

Our patch adds a security check to the processing of affected search requests such that a remote machine can only request a search of a shared folder on the same remote machine (the target machine), and not on some other machine in the network. This preserves search and indexing functionality, but prevents coerced authentication.

 

Micropatch Availability

Micropatches were written for:

 Legacy Windows versions:

1. Windows 11 v21H2 - fully updated
2. Windows 10 v21H2 - fully updated
3. Windows 10 v21H1 - fully updated
4. Windows 10 v20H2 - fully updated
5. Windows 10 v2004 - fully updated
6. Windows 10 v1909 - fully updated
7. Windows 10 v1809 - fully updated
8. Windows 10 v1803 - fully updated
9. Windows 7 - fully updated without ESU, with ESU 1, ESU 2 or ESU 3
10. Windows Server 2012 - fully updated without ESU or with ESU 1
    
11. Windows Server 2012 R2 - fully updated without ESU or with ESU 1
12. Windows Server 2008 R2 - fully updated without ESU, with ESU 1, ESU 2, ESU 3 or ESU 4
    

 Windows versions still receiving Windows Updates:

1. Windows 11 v24H2 - fully updated   
2. Windows 11 v23H2 - fully updated
3. Windows 11 v22H2 - fully updated
4. Windows 10 v22H2 - fully updated
5. Windows Server 2025 - fully updated
   
6. Windows Server 2022 - fully updated
   
7. Windows Server 2019 - fully updated 
8. Windows Server 2016 - fully updated 
9. Windows Server 2012 fully updated with ESU 2
   
10. Windows Server 2012 R2 fully updated with ESU 2

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We'd like to thank Simon Lemire for sharing their finding and their tool, which allowed us to reproduce the issue and create patches for our users.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

Micropatches Released for WEBDAV Remote Code Execution Vulnerability (CVE-2025-33053)

June 2025 Windows updates brought a fix for CVE-2025-33053, a remote code execution vulnerability that was found to be exploited in the wild. The vulnerability allows a malicious URL file pointing to a legitimate local Windows executable to "sideload" a DLL or EXE from attacker's server on the Internet when opened.

Note that while Microsoft titled this issue "WEBDAV Remote Code Execution", the vulnerability can be generally exploited using any SMB network share, including an internal network shared folder. However, since most firewalls and Internet Service Providers block SMB traffic, WebDAV makes for a much more powerful attack scenario as it allows the malicious DLL to be loaded from a server on the Internet right through the firewall.

 

The Vulnerability 

This vulnerability was detected by Alexandra Gofman and David Driker with Check Point Research, who wrote up a detailed analysis. Windows Internet shortcut files, also called URL files by their .url extension, are text-based files initially designed to be desktop shortcuts to Internet sites. As the documentation states, "When the user clicks the icon, the browser is launched and displays the site associated with the shortcut." 

In reality, URL files also allow for direct launching of executable files from a specified path, and apparently also with a specified CWD (current working directory) - which can point to a network path under attacker's control. This becomes very important when the launched executable - e.g., a legitimate Windows executable from C:\Windows\System32 folder - tries to load some DLL or launch an EXE and looks for it in the CWD according to its effective search order strategy. In effect, this then becomes a "binary planting" attack with a twist.

The attack detected by Check Point used a malicious URL file specifying a path to a legitimate local Windows executable C:\Program Files\Internet Explorer\iediagcmd.exe, and WorkingDirectory pointing to attacker's Internet-based network share.

When launched, iediagcmd.exe in turn launches other executables like ipconfig.exe and route.exe without providing full path to them. According to the CreateProcess documentation, the executable to be launched is searched for in the following locations:

1. The directory from which the application loaded.
2. The current directory for the parent process.
3. The 32-bit Windows system directory.
4. The 16-bit Windows system directory.
5. The Windows directory.
6. The directories that are listed in the PATH environment variable.

Note that the parent executable (iediagcmd.exe) resides in the C:\Program Files\Internet Explorer folder, while ipconfig.exe and route.exe reside in the C:\Windows\System32 folder. Therefore, the latter are not found in "the directory from which the application loaded," so the process tries the current working directory next.

Which is on attacker's network share. 

While this attack could easily be mounted inside the victim computer's network, the attacker would have to already be inside this network. That is where WebDAV comes in: when the Web Client service is running on the computer, remote network shares are not only accessible via the SMB protocol, but also via HTTP-based WebDAV that goes right through the company's firewall. With WebDAV, the malicious ipconfig.exe or route.exe can be hosted on an Internet web server, and they will be automatically downloaded and executed by Windows when a user in a firewalled corporate network opens the malicious URL file that seemingly only launches a trusted local executable.

 

Microsoft's Patch

Microsoft patched this issue by changing the behavior of URL files such as to ignore the WorkingDirectory value when launching executables.

 

Our Micropatch

Our patch does the exact same thing as Microsoft's.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

1. Windows 11 21H2 - fully updated
2. Windows 10 21H2 - fully updated
3. Windows 10 21H1 - fully updated
4. Windows 10 20H2 - fully updated
5. Windows 10 2004 - fully updated
6. Windows 10 1909 - fully updated
7. Windows 10 1809 - fully updated
8. Windows 10 v1803 - fully updated
9. Windows 7 - fully updated without ESU, with ESU 1, ESU 2 or ESU 3
10. Windows Server 2008 R2 - - fully updated without ESU, with ESU 1, ESU 2, ESU 3 or ESU 4
11. Windows Server 2012 - fully updated without ESU, with ESU 1
12. Windows Server 2012 R2 - fully updated without ESU, with ESU 1
    

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank security researchers Alexandra Gofman and David Driker with Check Point Research for publishing their analysis, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

Micropatches Released for Preauth DoS on Windows Deployment Service (CVE-2025-29957)

 

May 2025 Windows updates brought a fix for CVE-2025-29957, a denial of service vulnerability allowing an attacker in the network to easily consume all available memory on a Windows Server with Windows Deployment Service installed. This could lead to said server being unable to provide both Windows deployment services and other services such as network file sharing, printing, or provide other server functionalities based on its configured server roles.

The vulnerability was reported to Microsoft by security researchers R4nger & Zhiniang Peng.

 

Microsoft's Patch

Microsoft patched this issue by properly freeing allocated memory on each remote session initiation.

 

Our Micropatch

Our patch does the exact same thing as Microsoft's.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

1. Windows Server 2012 - fully updated without ESU, with ESU 1
2. Windows Server 2012 R2 - fully updated without ESU, with ESU 1
   

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank security researcher Zhiniang Peng for publishing their analysis, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 and Office 2016/2016 when trey go out of support in October 2025, allowing you to keep using them for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

Micropatches Released for Microsoft Management Console Security Feature Bypass Vulnerability (CVE-2025-26633)

 

March 2025 Windows updates brought a fix for CVE-2025-26633, a security feature bypass vulnerability in Windows that allows a malicious script to bypass one of the security warnings displayed when opening a Microsoft Console (.msc) file that was loaded from the Internet.

The vulnerability was reported to Microsoft by security researcher Aliakbar Zahravi with Trend Micro.

Aliakbar also published a detailed analysis of this vulnerability, which allowed us to reproduce the issue and create our own patches for security-adopted Windows versions that are no longer receiving updates from Microsoft.

 

Microsoft's Patch

Microsoft patched this issue by preventing users from launching .msc files marked with Mark of the Web (MotW).

 

Our Micropatch

Our patch does the exact same thing as Microsoft's.

Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

1. Windows 11 21H2 - fully updated
2. Windows 10 21H2 - fully updated
3. Windows 10 21H1 - fully updated
4. Windows 10 20H2 - fully updated
5. Windows 10 2004 - fully updated
6. Windows 10 1909 - fully updated
7. Windows 10 1809 - fully updated
8. Windows 10 v1803 - fully updated
9. Windows 7 - fully updated without ESU, with ESU 1, ESU 2 or ESU 3
10. Windows Server 2008 R2 - - fully updated without ESU, with ESU 1, ESU 2, ESU 3 or ESU 4
11. Windows Server 2012 - fully updated without ESU, with ESU 1
12. Windows Server 2012 R2 - fully updated without ESU, with ESU 1
    

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank security researcher Aliakbar Zahravi with Trend Micro for publishing their analysis, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 when it goes out of support in October 2025, allowing you to keep using it for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

How MSPs Can Handle Windows 10 End of Support with 0patch

“Patching Windows 10 after end-of-support? Done.”

October 14, 2025, is a date that’s probably already circled in red on your Windows 10 clients’ calendars – or at least, it should be. It’s the day Microsoft stops releasing security updates for Windows 10. Yes, it’s the official End of Support (EoS) date, and we all know what that means: a scramble for upgrades, extended support costs.

As an MSP, this is both a headache and an opportunity. After all, your clients rely on you to keep their systems secure, compliant, and running smoothly. And if history is any guide, some of them will be clinging to their Windows 10 machines well into 2026 and beyond.

So, what’s your move? Why not 0patch? It’s your chance to offer a smarter, more cost-effective alternative to expensive upgrades and risky unpatched systems. Let’s talk about why.

Why Your Clients Don’t Want to Upgrade (and Why You Shouldn’t Force Them)

Let’s face it, some users just don’t want to give up their trusty Windows 10 machines, and for good reasons.

We get it. You’re probably already hearing this from your clients:

• “This machine is still perfectly fine. I’m not replacing it.”

• “I am not a fan of Windows 11. It’s too different.”

• “We just upgraded the software. It works. Why change it?”

• “Windows 11 feels more like spyware than software.”

• “Budget is tight. I can’t afford to replace half my hardware.”

• “My computer can’t run Windows 11”.

Sound familiar? This is where 0patch comes in. Instead of pushing clients to upgrade, you can keep their systems secure without the cost, disruption, and user frustration of a full OS migration.

If it ain’t broke... – It’s stable, familiar, and does the job, so why rock the boat?

Why MSPs Should Care About 0patch for Windows 10

1. Incredibly Simple Management

0patch was designed with MSPs in mind, offering a centralized, cloud-based management console that makes it easy to deploy, monitor, and manage patches across multiple clients. No more chasing down individual endpoints or dealing with complex configurations – it just works.

2. Extended Windows 10 Security Without Upgrading

Microsoft will officially stop providing security updates for Windows 10 in October 2025, which means systems still running it will be exposed to critical vulnerabilities. However, with 0patch, you can keep these systems secure by applying micro-patches to known vulnerabilities, even after Microsoft ends support. This means you can offer your clients a cost-effective, low-risk way to keep their operations running smoothly without forcing them into expensive, disturbing upgrades.

3. Rapid and Non-Disruptive Patching

Traditional patching can be time-consuming and disruptive for your clients, often requiring reboots and extensive testing. 0patch solves this with its micropatches, which are tiny, targeted code updates that apply in memory without restarting systems. This means less downtime, happier clients, and fewer headaches for your team.

4. Reduced Attack Surface and Compliance

With 0patch, your clients’ systems get only the security fixes they actually need, minimizing the attack surface, mitigating risks and reducing the time of unintentional disruptions. This also helps with regulatory compliance, especially in industries like healthcare, finance, and government where security is tightly regulated.

5. Cost Savings for Your Clients (and You)

Upgrading to a new operating system can be a massive expense, not just in terms of licensing but also in training, hardware upgrades, and migration costs. With 0patch, you can help your clients extend the life of their current infrastructure, reducing overall IT spending and freeing up budget for other critical projects.

0patch – Your Stress-Free, High-Margin Patching Solution

For MSPs, 0patch ticks all the right boxes:

• Zero Reboots, Zero Downtime – Apply security patches to running processes. No annoying reboots or maintenance windows.

• Instant Rollback – Reverse a patch in real-time if it causes issues – no reinstalling, no system restore needed.

• Lightweight Patches – Micro-patches that are just a few machine instructions – fast to deploy, low bandwidth.

• Multi-Tenant Friendly – Manage all your clients through 0patch Central.

• Compliance Support – Stay audit-ready even on unsupported systems (ISO 27001, GDPR, NIS2).

• No Vendor Lock-In – Use 0patch alongside your existing RMM and PSA tools – no need to rip and replace.

What’s In It for You as an MSP?

• New Revenue Stream – offer 0patch as a premium, ongoing security service.

• Reduced Overhead – fewer support tickets, no emergency patch frenzies.

• Client Retention – keep clients happy and secure without forcing upgrades.

• Differentiation – stand out by offering a modern, micropatching approach your competitors might miss.

What’s In It for Your Clients?

• Peace of Mind – security for systems they’re not ready (or able) to upgrade.

• Cost Savings – no need to buy new hardware or expensive extended support.

• Less Disruption – no downtime, no “surprise” patch day headaches.

• Flexibility – protect legacy systems without pressure to migrate.

• A better way to handle Windows 10 EoS.

What’s Next?

If you’re managing clients with Windows 10 systems, now is the perfect time to consider 0patch as a key part of your service portfolio. By offering this innovative micro-patching solution, you can strengthen your client relationships, differentiate your services, and build a more resilient, future-proof IT environment.

Instead of pushing for mass upgrades, give your clients a smarter choice: keep Windows 10 secure and compliant without the headaches. 

Learn more about how 0patch can keep your clients’ systems secure beyond 2025, and join the growing number of MSPs who are making smarter, more agile security a cornerstone of their service offerings.

Contact us today at partners@0patch.com to learn how 0patch can benefit your clients and your business. Or better yet, try 0patch for yourself and see how it can transform your patching game.

Micropatches released for SCF File NTLM Hash Disclosure Vulnerability (0day) - and Free Micropatches for it

 

 

While patching a SCF File NTLM hash disclosure issue on our security-adopted Windows versions, our researchers discovered a related vulnerability on all Windows Workstation and Server versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2025. The vulnerability allows an attacker to obtain user's NTLM credentials by having the user view a malicious file in Windows Explorer - e.g., by opening a shared folder or USB disk with such file, or viewing the Downloads folder where such file was previously automatically downloaded from attacker's web page.

Impact and attack scenarios of this issue are identical to that of a previously discovered 0day in URL files (subsequently patched by Microsoft), although the flaw is different here and to our knowledge not discussed in public before. 

[Update 04/09/2025] We were informed by George Hughey with MSRC Vulnerabilities & Mitigations that Microsoft recently brought a change to how SCF files are behaving. We have confirmed that on computers with January 2025 Windows Updates installed, Windows Explorer exhibits the behavior we're describing here only if the SCF file does not have the Mark of the Web. This means that attack scenarios on still-supported Windows versions like Windows 11 v24H2 do not include drive-by-downloaded SCF files, but do still include SCF files on network shared folders or USB drives. We'd like to thank George for sharing this information with us.

Note that while these types of vulnerabilities are not critical and their exploitability depends on several factors (e.g., the attacker either already being in the victim's network or having an external target like a public-facing Exchange server  to relay the stolen credentials to), they have been found to be used in actual attacks ([1][2]).

We reported this issue to Microsoft, and - as usual - issued micropatches for it that will remain free until Microsoft has provided an official fix.

We are withholding details on this vulnerability until Microsoft's fix becomes available to minimize the risk of malicious exploitation. 

This is the fourth 0day we have recently found and reported to Microsoft, after the Windows Theme file issue (subsequently patched by Microsoft as CVE-2025-21308), the Mark of the Web issue on Server 2012 (still a 0day without an official patch), and the URL File NTLM Hash Disclosure Vulnerability (subsequently patched by Microsoft as CVE-2025-21377).

In addition, the "EventLogCrasher" vulnerability, allowing an attacker to disable all Windows event logging on all domain computers (reported to Microsoft in January 2024 by security researcher Florian), is still waiting for an official patch so our patches for it are the only ones available.

There are also currently three NTLM-related publicly known "wont fix" vulnerabilities that Microsoft decided not to patch with 0patch patches available: PetitPotam, PrinterBug/SpoolSample and DFSCoerce. All of these are present on all latest fully updated Windows versions, and if your organization is using NTLM for any reason, it could be affected.

Currently, 40% of our users are using 0patch for protection against 0day and "wont fix" vulnerabilities, while others use 0patch for keeping their legacy Windows systems and Office versions secure with our security patches.

Micropatch Availability

Since this is a "0day" vulnerability with no official vendor fix available, we are providing our micropatches for free until such fix becomes available.

Micropatches were written for:

 Legacy Windows versions:

1. Windows 11 v21H2 - fully updated
2. Windows 10 v21H2 - fully updated
3. Windows 10 v21H1 - fully updated
4. Windows 10 v20H2 - fully updated
5. Windows 10 v2004 - fully updated
6. Windows 10 v1909 - fully updated
7. Windows 10 v1809 - fully updated
8. Windows 10 v1803 - fully updated
9. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
10. Windows Server 2012 - fully updated with no ESU or ESU 1
    
11. Windows Server 2012 R2 - fully updated with no ESU or ESU 1
12. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
    

 Windows versions still receiving Windows Updates:

1. Windows 11 v24H2 - fully updated   
2. Windows 11 v23H2 - fully updated
3. Windows 11 v22H2 - fully updated
4. Windows 10 v22H2 - fully updated
5. Windows Server 2025 - fully updated
   
6. Windows Server 2022 - fully updated
   
7. Windows Server 2019 - fully updated 
8. Windows Server 2016 - fully updated 
9. Windows Server 2012 fully updated with ESU 2
   
10. Windows Server 2012 R2 fully updated with ESU 2

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

 

Did you know 0patch will security-adopt Windows 10 and Office 2016/2019 when they go out of support in October 2025, allowing you to keep using them for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.