Micropatches released for Windows Telephony Service Elevation of Privilege Vulnerability (CVE-2024-43626)

 

Our new CVE tracking app has been working hard these days, finding things our poor human eyes were unable or too tired to see. In this case, it alerted us about a vulnerability that was described in an article about another vulnerability we had long since patched.

CVE-2024-43626, a privilege escalation vulnerability in Windows Telephony Service, was described in an article by Đào Tuấn Linh of Starlabs. The article was primarily about CVE-2024-26230, which we had patched in August 2024, but it also mentioned a related issue CVE-2024-43626, reportedly co-analyzed by Chen Le Qi of Starlabs. While the proof-of-concept was only provided for the "main" vulnerability, we were able to modify it to trigger the secondary one.

 

The Vulnerability 

The vulnerability is in the way Windows Telephony Service reads some registry value to the memory, whereby such value could be loaded without the trailing zero terminator. Should this happen, a subsequent _wcsupr operation would upper-case a string beyond the end of the buffer - potentially corrupting the memory there in such a way as to lead to arbitrary code execution.

 

Microsoft's Patch

Microsoft's patch modified the vulnerable code so that it correctly reads the registry value and makes sure it is zero-terminated.

 

Our Patch

Our patch is logically identical to Microsoft's. 

Let's see our patch in action. First, a low-privileged user launches the POC while 0patch is disabled, which results in crashing the Telephony Service. With 0patch enabled, the POC fails to crash the service.

 

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

1. Windows 11 v21H2 - fully updated
2. Windows 10 v21H2 - fully updated
3. Windows 10 v21H1 - fully updated
4. Windows 10 v20H2 - fully updated
5. Windows 10 v2004 - fully updated
6. Windows 10 v1909 - fully updated
7. Windows 10 v1809 - fully updated
8. Windows 10 v1803 - fully updated
9. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
10. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
11. Windows Server 2012 - fully updated with no ESU or ESU 1
12. Windows Server 2012 R2 - fully updated with no ESU or ESU 1 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

We'd like to thank Đào Tuấn Linh and Chen Le Qi of Starlabs for discovering this vulnerability and publishing their analysis, which allowed us to create a patch and protect 0patch users against this issue.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.

 

Micropatches released for Microsoft Excel Remote Code Execution Vulnerability (CVE-2025-62203)

 

 

November 2025 Windows Updates brought a patch for CVE-2025-62203, a remote code execution vulnerability in Microsoft Excel that could allow a remote attacker to have their malicious code executed on user's computer upon opening an Excel file.

The vulnerability was discovered and reported to Microsoft by Quan Jin with DBAPPSecurity

 

The Vulnerability 

The vulnerability is a use-after-free issue, whereby opening a malicious Excel document results in an already freed memory block being freed again, corrupting the heap. A carefully constructed document could potentially exploit this fact for arbitrary code execution.

The attacker would have to convince the user to open their malicious Excel document. Upon opening the document, Excel complains that the document was damaged and offers to recover it; choosing "Yes" to start the recovery process leads to the vulnerability being triggered. 

Among our security-adopted Office versions, we found this vulnerability to affect not only Office 2016 and 2019 click-to-run, but also Office 2013. Office 2010 is not affected. 

 

Microsoft's Patch

Microsoft changed a lot of code in excel.exe, making it hard to identify which of the changes were associated with this issue. Fixing use-after-free issues "by the book" sometimes requires many changes in various parts of the code; instead of trying to untangle these changes, we decided to take our time-tested approach to patching this type of issues.

 

Our Patch

Our time-tested approach is to remove the superfluous free call. We've done this many times before, and arguably, this approach can lead to a small memory leak (unused memory being left allocated, leading to Excel consuming a little bit more memory each time the execution goes through our patch). However, we assessed that under normal circumstances, the accumulated leak would be very small, and of course reset to zero upon each closing of the Excel application. In addition, the memory leak is likely to only occur in the additional excel.exe process launched for recovering the document in the background, which gets closed after recovery anyway.

Let's see our patch in action on a fully updated Excel 2019 click-to-run, which we have security-adopted last October when it received its last official security patches. First, the user opens the malicious poc.xls document while 0patch is disabled and agrees to have Excel recover it, which results in Excel crashing (as indicated in the Application Event log). With 0patch enabled, doing the same fails to crash Excel.

 

 

Micropatch Availability

Micropatches were written for the following 32-bit and 64-bit security-adopted Microsoft Office versions:

1. Microsoft Office 2019 click-to-run - updated with all available updates (version 2508, build 19127.20302)
2. Microsoft Office 2016 click-to-run - updated with all available updates (version 2508, build 19127.20302)
3. Microsoft Office 2013 - updated with all available updates

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

We'd like to thank Quan Jin with DBAPPSecurity for sharing vulnerability details and POC, which allowed us to create a patch for this issue and protect our users.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support in October 2025, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.

Micropatches Released for Microsoft Office Security Feature Bypass Vulnerability (CVE-2026-21509)

Two days ago, Microsoft released an emergency update for Microsoft Office, resolving CVE-2026-21509, a vulnerability in Office that was found to be exploited in the wild. Microsoft's advisory initially stated that vulnerability details were publicly disclosed, but later reversed that claim. The advisory provided very little information on the vulnerability but it did provide mitigation recommendations for those who can't immediately apply the update.

These recommendations indicate the vulnerability relies on the ability to embed a Shell.Explorer.1 OLE object (Windows Class ID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}) in an Office document. This object is actually an embedded Internet Explorer or Windows Explorer component, and has been an instrument of various exploits and security tricks in the past. Most notably, Yorick Koster wrote a very good article about embedding such objects in Office documents back in 2018, and how double-clicking such embedded object and confirming an (admittedly not too scary-looking) security warning resulted in launching arbitrary executable on user's computer.

Interestingly, exploits described in Yorick's 2018 article still worked on fully updated Microsoft Office until two days ago*, with the January 26, 2026 update disabling them - either intentionally or as a side effect.

So did Microsoft decide to patch Yorick's 2018 exploits in 2026 once exploitation has been detected? Only they know, but it seems unlikely that they'd urgently patch something that required a user to double-click something in a document and then also click through a security warning.

(* As Will Dormann noticed, Microsoft did provide some form of protection against this issue outside of Office updates, likely through Windows Defender, but we have no information on when they did that.)

Microsoft's Patch

We don't know what exactly Microsoft patched with the January 26, 2026 Office update. There are multiple changes in Office binaries, none of which immediately seems like an obvious patch, and said update also didn't set a "kill bit" for Class ID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}. We therefore decided not to investigate that further, also because even if we did locate their patch, we'd still need a POC to reproduce the vulnerability and test our own patch. No POC was available at the time of this writing - or if it was available in some malware repository such as Virus Total, it could not be identified based on available information.

Importantly, Microsoft patched this issue for still-supported Office versions, but also for "volume licensed" (MSI) versions of Office 2016 and 2019 - even if they went out of support in October 2025. Remember, volume licensed Office versions are getting updates via Windows Update, and Microsoft announced that these versions may still receive additional security patches after their end-of-support date.

In contrast, click-to-run Office 2016 and 2019 versions actually stopped receiving Microsoft's patches after October 2025, and have not received official patches for this vulnerability (nor did Office 2010 and Office 2013, which we're still providing security patches for). Therefore, we developed our own patches for these versions and issued them today.

 

Our Patch

Our patch implements Microsoft's workaround from their advisory: it emulates the kill bit for Class ID {EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}, effectively preventing embedded OLE objects of this class from being launched. This is presumably a wider countermeasure that prevents exploitation of CVE-2026-21509 but may also block some other uses of the same OLE object. We find it hard to imagine a legitimate and functional use of this object in an Office document, so we actually prefer such wider approach.

After our patch is applied, opening an embedded Shell.Explorer.1 OLE object in an Office document will be blocked and will result in the following dialog:  

 

 

Note that our patches are the only available patches for Office 2016 and 2019 click-to-run, which we had security-adopted last October. We will provide these security patches for at least 3 years (longer if demand lasts) to help Office 2016 and 2019 users keep their security posture up. Note that at some point, Microsoft will stop providing security updates for volume licensed 2016 and 2019 versions as well, at which point our security patches will be the only patches for these as well. If you're using volume licensed Office versions, keep applying Microsoft's updates, as our future patches for these will be written for "fully-updated" Office.

Micropatch Availability

Micropatches were written for the following 32-bit and 64-bit security-adopted Microsoft Office versions:

1. Microsoft Office 2019 click-to-run - updated with all available updates (version 2508, build 19127.20302)
2. Microsoft Office 2016 click-to-run - updated with all available updates (version 2508, build 19127.20302)
3. Microsoft Office 2013 - updated with all available updates
4. Microsoft Office 2010 - updated with all available updates 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support in October 2025, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.

 

Micropatches Released for Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability (CVE-2025-47987)

 

July 2025 Windows Updates brought a patch for CVE-2025-47987, a privilege escalation vulnerability in Windows Credential Security Support Provider that could allow a local low-privileged attacker to execute arbitrary code as Local System user. The vulnerability was discovered and reported to Microsoft by Erik Egsgard with Field Effect.

Subsequently, security researcher Kryptoenix reverse-engineered Microsoft's patch and published a detailed analysis of this vulnerability and shared a proof-of-concept.

 

The Vulnerability 

The vulnerability is a heap-based buffer overflow that occurs because of a numeric overflow when length of user-supplied data is calculated. The numeric overflow leads to the result being a small number, so the allocated buffer for the user-supplied data ends up being too small for the data. When the data is copied to the buffer, adjacent memory blocks on the heap are overwritten, which in the case of the proof-of-concept (POC) results in memory corruption and crashing of lsass.exe, but a carefully crafted data block could lead to arbitrary code execution as Local System.

 

Microsoft's Patch

Microsoft's patch replaced the unsafe addition operation with a call to a safe addition function that detects an overflow and terminates the processing of such user-supplied data.

 

Our Patch

Our patch is logically identical to Microsoft's. 

Let's see our patch in action. First, a low-privileged user launches the POC while 0patch is disabled, which results in crashing lsass.exe. With 0patch enabled, the POC fails to crash lsass.exe (although it reports success).

 

 

Micropatch Availability

Micropatches were written for the following security-adopted Windows versions:

1. Windows 11 v21H2 - fully updated
2. Windows 10 v21H2 - fully updated
3. Windows 10 v21H1 - fully updated
4. Windows 10 v20H2 - fully updated
5. Windows 10 v2004 - fully updated
6. Windows 10 v1909 - fully updated
7. Windows 10 v1809 - fully updated
8. Windows 10 v1803 - fully updated
9. Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
10. Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
11. Windows Server 2012 - fully updated with no ESU or ESU 1
12. Windows Server 2012 R2 - fully updated with no ESU or ESU 1 

Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).

Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things. 

We'd like to thank Erik Egsgard with Field Effect for discovering this vulnerability, and Kryptoenix for analyzing it and publishing their analysis and proof-of-concept, which allowed us to create a patch and protect 0patch users against this issue.

If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.

Did you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here. 

To learn more about 0patch, please visit our Help Center.