July 2025 Windows Updates brought a patch for CVE-2025-47987, a privilege escalation vulnerability in Windows Credential Security Support Provider that could allow a local low-privileged attacker to execute arbitrary code as Local System user. The vulnerability was discovered and reported to Microsoft by Erik Egsgard with Field Effect.
Subsequently, security researcher Kryptoenix reverse-engineered Microsoft's patch and published a detailed analysis of this vulnerability and shared a proof-of-concept.
The Vulnerability
The vulnerability is a heap-based buffer overflow that occurs because of a numeric overflow when length of user-supplied data is calculated. The numeric overflow leads to the result being a small number, so the allocated buffer for the user-supplied data ends up being too small for the data. When the data is copied to the buffer, adjacent memory blocks on the heap are overwritten, which in the case of the proof-of-concept (POC) results in memory corruption and crashing of lsass.exe, but a carefully crafted data block could lead to arbitrary code execution as Local System.
Microsoft's Patch
Microsoft's patch replaced the unsafe addition operation with a call to a safe addition function that detects an overflow and terminates the processing of such user-supplied data.
Our Patch
Our patch is logically identical to Microsoft's.
Let's see our patch in action. First, a low-privileged user launches the POC while 0patch is disabled, which results in crashing lsass.exe. With 0patch enabled, the POC fails to crash lsass.exe (although it reports success).
Micropatch Availability
Micropatches were written for the following security-adopted Windows versions:
- Windows 11 v21H2 - fully updated
- Windows 10 v21H2 - fully updated
- Windows 10 v21H1 - fully updated
- Windows 10 v20H2 - fully updated
- Windows 10 v2004 - fully updated
- Windows 10 v1909 - fully updated
- Windows 10 v1809 - fully updated
- Windows 10 v1803 - fully updated
- Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
- Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
- Windows Server 2012 - fully updated with no ESU or ESU 1
- Windows Server 2012 R2 - fully updated with no ESU or ESU 1
Micropatches have already been distributed to, and applied on, all affected online computers with 0patch Agent in PRO or Enterprise accounts (unless Enterprise group settings prevented that).
Vulnerabilities like these get discovered on a regular basis, and attackers know about them all. If you're using Windows that aren't receiving official security updates anymore, 0patch will make sure these vulnerabilities won't be exploited on your computers - and you won't even have to know or care about these things.
We'd like to thank Erik Egsgard with Field Effect for discovering this vulnerability, and Kryptoenix for analyzing it and publishing their analysis and proof-of-concept, which allowed us to create a patch and protect 0patch users against this issue.
If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.
Did
you know 0patch security-adopted Windows 10 and Office 2016 and 2019 when they went out of
support this month, allowing you to keep using them for at least 3 more years (5 years for Windows 10)? Read more about it here and here.
To learn more about 0patch, please visit our Help Center.
