This exploited-in-the-wild issue is an interesting twist on binary planting that we were working on a decade and a half ago. The DLL/EXE search order just keeps on giving (to attackers, that is). https://binaryplanting.com

It turned out that all our security-adopted Windows versions were affected by this issue, so we created micropatches for them all. These are already distributed and applied to all online affected systems.

We would like to thank security researchers Alexandra Gofman and David Driker with @_cpresearch_ for detecting the exploitation and publishing their analysis, which made it possible for us to create a micropatch for this issue.

Micropatches Released for WEBDAV Remote Code Execution Vulnerability (CVE-2025-33053) https://blog.0patch.com/2025/06/micropatches-released-for-webdav-remote.html

CVE-2025-29957 is a denial of service vulnerability allowing an attacker in the network to easily consume all available memory on a Windows Server with Windows Deployment Service installed. Our patch properly frees memory allocated by incoming requests (just like Microsoft's).

We would like to thank security researcher Zhiniang Peng (@edwardzpeng) for publishing their analysis, which made it possible for us to create a micropatch for this issue.

Micropatches Released for Preauth DoS on Windows Deployment Service (CVE-2025-29957) https://blog.0patch.com/2025/05/micropatches-released-for-preauth-dos.html

We would like to thank security researcher Aliakbar Zahravi (@aliakbarzahravi) with Trend Micro for publishing their analysis, which made it possible for us to create a micropatch for this issue.

Micropatches Released for Microsoft Management Console Security Feature Bypass Vulnerability (CVE-2025-26633) https://blog.0patch.com/2025/05/micropatches-released-for-microsoft.html

How MSPs Can Handle Windows 10 End of Support with 0patch
https://blog.0patch.com/2025/05/how-can-msps-handle-windows-10-end-of.html

There are apparently still many Windows 7 and Windows Server 2008 R2 machines out there. Let's get them patched!

Due to (wow!) growing demand, we've decided to extend support for Windows 7 and Windows Server 2008 R2 with security patches for another year (Jan/2027). Reminder: our security patches are the only security patches existing for these Windows versions.
https://support.0patch.com/hc/en-us/articles/360009437380

This issue is one of many issues causing an NTLM hash leak using a malicious URL file. We found it had been fixed by Microsoft with July 2023 updates, but we could not map it to a specific CVE (therefore "Unknown CVE").

The issue, however, still affects various older Windows systems that we have security-adopted, so we created patches for them.

We'd like to thank our sources researching various NTLM hash leak issues:
1) @domchell of @mdseclabs - https://mdsec.co.uk/2021/02/farming-for-red-teams-harvesting-netntlm/
2) @yorickkoster of @securifybv - https://securify.nl/en/blog/living-off-the-land-stealing-netntlm-hashes/
3) @Swepstopia: https://swepstopia.com/url-file-attack/

Micropatches Released for URL File NTLM Hash Disclosure Vulnerability (Unknown CVE)

Analysis: https://cti.monster/blog/2025/03/18/CVE-2025-24071.html
POC: https://github.com/0x6rss/CVE-2025-24071_PoC
Microsoft Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24054

IMPORTANT: that this issue was initially assigned CVE-2025-24071 and subsequently updated to CVE-2025-24054.

We'd like to thank @0x6rss for sharing their analysis and POC, which allowed us to create patches for Windows versions that no longer receive Microsoft's updates (Windows 7 - Windows 10 v21H2, Server 2008 R2 - Server 2012 R2).

Micropatches Released for NTLM Hash Disclosure Spoofing Vulnerability (CVE-2025-24054)

[Update 4/14/2025] April 2025 Windows Updates brought a fix for this issue on Windows Server 2012 R2 and assigned it CVE-2025-27472. However, the same updates not only did not fix this issue on Server 2012 but rather broke another security measure that was working before.

We reported this to Microsoft and will not reveal details until they have fixed their flawed fix. On Windows Server 2012 R2, users with 0patch have had this issue patched for 131 days before receiving an official fix by Microsoft, even if subscribed to Extended Security Updates.

Of course we also issued a micropatch to correct the flawed fix.

By me @Forbes: Maybe Microsoft just needs to buy @0patch and be done with it? The security hotpatching needs of the many outweigh the needs of the few, as Mr Spock so famously said.

#infosec

https://www.forbes.com/sites/daveywinder/2025/04/14/no-reboot-security-updates-come-to-windows-11---but-theres-a-catch/

While patching another SCF File NTLM hash disclosure issue (https://blog.0patch.com/2025/03/micropatches-released-for-scf-file-ntlm.html) on our security-adopted Windows versions, our researchers discovered a related issue on all Windows versions from Windows 7 and Server 2008 R2 to the latest Windows 11 v24H2 and Server 2025.

We reported this issue to Microsoft, and, as always, issued micropatches for it that will remain free until Microsoft has provided an official fix. We're withholding details on this vulnerability until Microsoft's fix becomes available to prevent malicious exploitation.

Currently, 40% of our users are using 0patch on still-supported Windows versions for protection against 0day and "wont fix" vulnerabilities, while others use 0patch for keeping their legacy Windows systems and Office versions secure with our security patches.

Micropatches released for SCF File NTLM Hash Disclosure Vulnerability (0day) - and Free Micropatches for it
https://blog.0patch.com/2025/03/scf-file-ntlm-hash-disclosure.html

We would like to thank Bosko Stankovic (https://www.linkedin.com/in/boskostankovic/) of DefenseCode for sharing their analysis, which made it possible for us to create a micropatch for this issue.

Micropatches Released for SCF File NTLM Hash Disclosure Vulnerability (No CVE) https://blog.0patch.com/2025/03/micropatches-released-for-scf-file-ntlm.html

We'd like to thank Peter Girnus (@gothburz) with @thezdi for sharing vulnerability details, which allowed us to reproduce it and create a micropatch