Thursday, May 29, 2025

Posted by on

Micropatches Released for Preauth DoS on Windows Deployment Service (CVE-2025-29957)

 


May 2025 Windows updates brought a fix for CVE-2025-29957, a denial of service vulnerability allowing an attacker in the network to easily consume all available memory on a Windows Server with Windows Deployment Service installed. This could lead to said server being unable to provide both Windows deployment services and other services such as network file sharing, printing, or provide other server functionalities based on its configured server roles.

The vulnerability was reported to Microsoft by security researchers R4nger & Zhiniang Peng.

 

Microsoft's Patch

Microsoft patched this issue by properly freeing allocated memory on each remote session initiation.

 

Our Micropatch

Our patch does the exact same thing as Microsoft's.


Micropatch Availability

Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:

  1. Windows Server 2012 - fully updated without ESU, with ESU 1
  2. Windows Server 2012 R2 - fully updated without ESU, with ESU 1

 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that). 

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

We would like to thank security researcher Zhiniang Peng for publishing their analysis, which made it possible for us to create a micropatch for this issue.

Did you know 0patch will security-adopt Windows 10 and Office 2016/2016 when trey go out of support in October 2025, allowing you to keep using them for at least 5 more years? Read more about it here.

To learn more about 0patch, please visit our Help Center.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)