[{"data":1,"prerenderedAt":1236},["ShallowReactive",2],{"I-maWsoucveWH7VpbVdiZ9YJQaZbJd1SsPfUgTAv7BA":3,"i-custom:keyboard-arrow-down":704,"i-custom:check":708,"i-custom:north-east":710,"BYEm5tGenJDNwJcdwkByoll73dv0yjatcbn17sV733s":712},{"_site":4,"allMenuCtas":33,"allMenuItems":43,"allFooterMenuItems":207,"allFooterLinks":259,"allProductCategories":263,"allPlans":277,"allPatchCategories":288,"allCountries":622,"allPartnerCategories":664,"topBar":674,"allSocialLinks":695},{"globalSeo":5,"favicon":8,"faviconMetaTags":10,"locales":31},{"siteName":6,"titleSuffix":7},"0patch"," | 0patch",{"url":9},"https://www.datocms-assets.com/166020/1758709113-0patch_logo.svg",[11,19,23,27],{"tag":12,"attributes":13,"content":18},"link",{"sizes":14,"type":15,"rel":16,"href":17},"16x16","image/svg","icon","https://www.datocms-assets.com/166020/1758709113-0patch_logo.svg?auto=format&h=16&w=16",null,{"tag":12,"attributes":20,"content":18},{"sizes":21,"type":15,"rel":16,"href":22},"32x32","https://www.datocms-assets.com/166020/1758709113-0patch_logo.svg?auto=format&h=32&w=32",{"tag":12,"attributes":24,"content":18},{"sizes":25,"type":15,"rel":16,"href":26},"96x96","https://www.datocms-assets.com/166020/1758709113-0patch_logo.svg?auto=format&h=96&w=96",{"tag":12,"attributes":28,"content":18},{"sizes":29,"type":15,"rel":16,"href":30},"192x192","https://www.datocms-assets.com/166020/1758709113-0patch_logo.svg?auto=format&h=192&w=192",[32],"en",[34],{"id":35,"title":36,"reference":37,"externalLink":40,"variant":41,"publishTranslation":42},"7540649","Buy now",{"_modelApiKey":38,"slug":39},"page","pricing","","primary-green",true,[44,52,59,66,86,92,99,103,109,117,123,130,135,149,155,169,175],{"id":45,"children":46,"externalLink":40,"parent":47,"reference":49,"title":51,"description":40,"publishTranslation":42},"HC0Jv04qRuKuZzHWgfUcNw",[],{"id":48},"IL3SSc5ySpu4strWvTvZ_A",{"_modelApiKey":38,"slug":50},"in-the-media","In the media",{"id":53,"children":54,"externalLink":55,"parent":56,"reference":18,"title":58,"description":40,"publishTranslation":42},"Lf_fG7sJTeyY-YwXgCZM6A",[],"https://dist.0patch.com/download/latestagent",{"id":57},"InIESymQQManhdOiSJWRAA","Download 0patch Agent",{"id":60,"children":61,"externalLink":62,"parent":63,"reference":18,"title":65,"description":40,"publishTranslation":42},"H1wOcewmTj2BFNcm_3S4Pg",[],"https://support.0patch.com/hc/en-us/sections/22259984868242",{"id":64},"SWaM0xVVRG-TtXEDSCe6CA","User Manual",{"id":48,"children":67,"externalLink":40,"parent":83,"reference":18,"title":85,"description":40,"publishTranslation":42},[68,72],{"id":45,"title":51,"description":40,"parent":69,"reference":70,"externalLink":40,"publishTranslation":42,"children":71},{"id":48},{"_modelApiKey":38,"slug":50},[],{"id":73,"title":74,"description":74,"parent":75,"reference":76,"externalLink":40,"publishTranslation":42,"children":82},"GYvRoN-xQrK53JU9hoMC9g","From our blog",{"id":48},{"_modelApiKey":77,"slug":78,"title":79,"createdAt":80,"published":81},"article","micropatches-released-for-windows-storage-elevation-of-privilege-vulnerability-cv","Micropatches released for Windows Storage Elevation of Privilege Vulnerability (CVE-2026-21508)","2026-04-04T11:50:51+02:00","2026-03-31T00:00:00+02:00",[],{"id":84},"136494748","Featured",{"id":87,"children":88,"externalLink":40,"parent":18,"reference":89,"title":91,"description":40,"publishTranslation":42},"7537370",[],{"_modelApiKey":38,"slug":90},"windows10","Windows 10",{"id":93,"children":94,"externalLink":95,"parent":96,"reference":18,"title":97,"description":98,"publishTranslation":42},"KNhSd6vgR2mx15df8jrG1g",[],"https://support.0patch.com/hc/en-us",{"id":57},"Help Center","All sections",{"id":73,"children":100,"externalLink":40,"parent":101,"reference":102,"title":74,"description":74,"publishTranslation":42},[],{"id":48},{"_modelApiKey":77,"slug":78,"createdAt":80,"title":79,"published":81},{"id":104,"children":105,"externalLink":106,"parent":107,"reference":18,"title":108,"description":40,"publishTranslation":42},"YlQq8EI3S3Cjo6bX8KwScg",[],"https://www.0patch.com/files/0patch_End_User_License_Agreement.pdf",{"id":64},"License agreement",{"id":110,"children":111,"externalLink":40,"parent":112,"reference":113,"title":115,"description":116,"publishTranslation":42},"7537375",[],{"id":57},{"_modelApiKey":38,"slug":114},"contact","Contact us","Form demo",{"id":118,"children":119,"externalLink":40,"parent":18,"reference":120,"title":122,"description":40,"publishTranslation":42},"LT3XEcT4ToWK-CGDxHIvxA",[],{"_modelApiKey":38,"slug":121},"patches","Patches",{"id":124,"children":125,"externalLink":40,"parent":126,"reference":127,"title":129,"description":40,"publishTranslation":42},"C_hUUxSzRlWzUZJZiQKLWg",[],{"id":64},{"_modelApiKey":38,"slug":128},"privacy","Privacy policy",{"id":131,"children":132,"externalLink":40,"parent":18,"reference":133,"title":134,"description":40,"publishTranslation":42},"M7H9KVRYQbWzdi5przLT7w",[],{"_modelApiKey":38,"slug":39},"Pricing",{"id":57,"children":136,"externalLink":40,"parent":147,"reference":18,"title":148,"description":40,"publishTranslation":42},[137,140,143],{"id":53,"title":58,"description":40,"parent":138,"reference":18,"externalLink":55,"publishTranslation":42,"children":139},{"id":57},[],{"id":93,"title":97,"description":98,"parent":141,"reference":18,"externalLink":95,"publishTranslation":42,"children":142},{"id":57},[],{"id":110,"title":115,"description":116,"parent":144,"reference":145,"externalLink":40,"publishTranslation":42,"children":146},{"id":57},{"_modelApiKey":38,"slug":114},[],{"id":84},"Support",{"id":150,"children":151,"externalLink":40,"parent":18,"reference":152,"title":154,"description":40,"publishTranslation":42},"7540650",[],{"_modelApiKey":38,"slug":153},"blog","Blog",{"id":64,"children":156,"externalLink":40,"parent":167,"reference":18,"title":168,"description":40,"publishTranslation":42},[157,160,163],{"id":60,"title":65,"description":40,"parent":158,"reference":18,"externalLink":62,"publishTranslation":42,"children":159},{"id":64},[],{"id":104,"title":108,"description":40,"parent":161,"reference":18,"externalLink":106,"publishTranslation":42,"children":162},{"id":64},[],{"id":124,"title":129,"description":40,"parent":164,"reference":165,"externalLink":40,"publishTranslation":42,"children":166},{"id":64},{"_modelApiKey":38,"slug":128},[],{"id":84},"Documents",{"id":170,"children":171,"externalLink":40,"parent":18,"reference":172,"title":174,"description":40,"publishTranslation":42},"SH5u-VrlQeKwYFXpbtstHw",[],{"_modelApiKey":38,"slug":173},"partners","Partners",{"id":84,"children":176,"externalLink":40,"parent":18,"reference":18,"title":206,"description":40,"publishTranslation":42},[177,186,196],{"id":48,"title":85,"description":40,"parent":178,"reference":18,"externalLink":40,"publishTranslation":42,"children":179},{"id":84},[180,183],{"id":45,"title":51,"description":40,"parent":181,"reference":182,"externalLink":40,"publishTranslation":42},{"id":48},{"_modelApiKey":38,"slug":50},{"id":73,"title":74,"description":74,"parent":184,"reference":185,"externalLink":40,"publishTranslation":42},{"id":48},{"_modelApiKey":77,"slug":78,"createdAt":80,"title":79,"published":81},{"id":57,"title":148,"description":40,"parent":187,"reference":18,"externalLink":40,"publishTranslation":42,"children":188},{"id":84},[189,191,193],{"id":53,"title":58,"description":40,"parent":190,"reference":18,"externalLink":55,"publishTranslation":42},{"id":57},{"id":93,"title":97,"description":98,"parent":192,"reference":18,"externalLink":95,"publishTranslation":42},{"id":57},{"id":110,"title":115,"description":116,"parent":194,"reference":195,"externalLink":40,"publishTranslation":42},{"id":57},{"_modelApiKey":38,"slug":114},{"id":64,"title":168,"description":40,"parent":197,"reference":18,"externalLink":40,"publishTranslation":42,"children":198},{"id":84},[199,201,203],{"id":60,"title":65,"description":40,"parent":200,"reference":18,"externalLink":62,"publishTranslation":42},{"id":64},{"id":104,"title":108,"description":40,"parent":202,"reference":18,"externalLink":106,"publishTranslation":42},{"id":64},{"id":124,"title":129,"description":40,"parent":204,"reference":205,"externalLink":40,"publishTranslation":42},{"id":64},{"_modelApiKey":38,"slug":128},"Resources",[208,214,218,222,226,231,235,239,244,249,254],{"id":209,"column":210,"children":211,"externalLink":40,"parent":18,"reference":212,"title":122,"description":40,"publishTranslation":42},"Z7v-uM0cTOOBdk-s10IiJA",1,[],{"__typename":213,"_modelApiKey":38,"slug":121},"PageRecord",{"id":215,"column":210,"children":216,"externalLink":40,"parent":18,"reference":217,"title":134,"description":40,"publishTranslation":42},"Yr6Go03oTdSCq8pxdWdUsg",[],{"__typename":213,"_modelApiKey":38,"slug":39},{"id":219,"column":210,"children":220,"externalLink":40,"parent":18,"reference":221,"title":174,"description":40,"publishTranslation":42},"Ds1JBCIHQQKM3pJdA6ywFA",[],{"__typename":213,"_modelApiKey":38,"slug":173},{"id":223,"column":210,"children":224,"externalLink":40,"parent":18,"reference":225,"title":115,"description":40,"publishTranslation":42},"d9N0wsZhQsm7WLVqkmUWVQ",[],{"__typename":213,"_modelApiKey":38,"slug":114},{"id":227,"column":228,"children":229,"externalLink":40,"parent":18,"reference":230,"title":154,"description":40,"publishTranslation":42},"O9Oqpya5TZafs7o4l_8Nvg",2,[],{"__typename":213,"_modelApiKey":38,"slug":153},{"id":232,"column":228,"children":233,"externalLink":40,"parent":18,"reference":234,"title":51,"description":40,"publishTranslation":42},"QbA-8ChQT-eVxrfVlZzKaA",[],{"__typename":213,"_modelApiKey":38,"slug":50},{"id":236,"column":228,"children":237,"externalLink":95,"parent":18,"reference":18,"title":238,"description":40,"publishTranslation":42},"GcPu0RJNQu2cmfpL_Us1Lg",[],"Help center ",{"id":240,"column":228,"children":241,"externalLink":242,"parent":18,"reference":18,"title":243,"description":40,"publishTranslation":42},"NwREnz0XTvOJ93OHko_7xw",[],"https://status.0patch.com/","Status page",{"id":245,"column":228,"children":246,"externalLink":40,"parent":18,"reference":247,"title":248,"description":40,"publishTranslation":42},"UPh4X1tXRt24AhzNHaztFg",[],{"__typename":213,"_modelApiKey":38,"slug":114},"Write to support",{"id":250,"column":228,"children":251,"externalLink":252,"parent":18,"reference":18,"title":253,"description":40,"publishTranslation":42},"bUWsPw9eRvG4Ycl7j0yONg",[],"mailto:security@0patch.com","Report a security issue",{"id":255,"column":228,"children":256,"externalLink":257,"parent":18,"reference":18,"title":258,"description":40,"publishTranslation":42},"eB66OgJwSXSF0UWkhz1snQ",[],"https://www.0patch.com/files/0patch.asc","PGP KEY",[260],{"externalLink":40,"reference":261,"title":262,"publishTranslation":42},{"_modelApiKey":38,"slug":128},"Privacy",[264,269,273],{"__typename":265,"id":266,"name":267,"slug":268},"ProductCategoryRecord","Am0QLeVvQCuP42oCnhKABQ","Office","office",{"__typename":265,"id":270,"name":271,"slug":272},"VFAYSlgkRneu1oHcTKcpwQ","Server","server",{"__typename":265,"id":274,"name":275,"slug":276},"UNiVGxy_QViVXTpaSLXZlQ","Windows","windows",[278,282,285],{"__typename":279,"id":280,"title":281},"PlanRecord","T-QQY6XRSjeGbmXIK5kNCw","Free",{"__typename":279,"id":283,"title":284},"TOtXWfDyTjyO3H3OW_HRtQ","Professional",{"__typename":279,"id":286,"title":287},"KJjNQcHiRVa_mZqx_GtIrg","Enterprise",[289,423,520,561,605],{"__typename":290,"_allReferencingPatchesMeta":291,"_allReferencingPatches":293,"_modelApiKey":418,"name":419,"id":420,"slug":421,"icon":18,"supportDate":422},"PatchCategoryRecord",{"count":292},19,[294,302,310,317,325,333,340,346,352,358,364,370,376,382,388,394,400,406,412],{"id":295,"title":296,"description":297,"plans":298},"CHBzDqmWSkiUggiwCycMKQ","0day patches","\u003Cp>Patches for vulnerabilities the original vendor has not yet patched - both for legacy products and products that are still under official vendor support\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?type=0day\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our 0day patches\u003C/a>\u003C/strong>\u003C/p>",[299,300,301],{"id":280,"title":281},{"id":283,"title":284},{"id":286,"title":287},{"id":303,"title":304,"description":305,"plans":306},"W1zipVenRuaCpMLlbChNkg","Free patches","\u003Cp>Patches for \"0day\" vulnerabilities are generally free until the vendor has provided an official fix\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?plan=free\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our free patches\u003C/a>\u003C/strong>\u003C/p>",[307,308,309],{"id":280,"title":281},{"id":283,"title":284},{"id":286,"title":287},{"id":311,"title":312,"description":313,"plans":314},"JMf6o8nLRh2YNbSjeoWSbg","All patches","\u003Cp>All our patches we have ever issued, or will ever issue, including 0day and legacy patches\u003C/p>",[315,316],{"id":283,"title":284},{"id":286,"title":287},{"id":318,"title":319,"description":320,"plans":321},"N2SosqbOST-U5Q3FTqKT-g","Multi factor authentication (MFA)","\u003Cp>Require one-time code from an authenticator app when accessing 0patch Central\u003C/p>",[322,323,324],{"id":280,"title":281},{"id":283,"title":284},{"id":286,"title":287},{"id":326,"title":327,"description":328,"plans":329},"Aurt0TQWT3qrx--H6Bvtnw","0patch console - local management","\u003Cp>0patch Agent is managed locally using 0patch Console application\u003C/p>",[330,331,332],{"id":280,"title":281},{"id":283,"title":284},{"id":286,"title":287},{"id":334,"title":335,"description":336,"plans":337},"dvNfP_7ZQ6uyUtJO3ADbJQ","Standard email support","\u003Cp>Email support with 24-hour response time\u003C/p>",[338,339],{"id":283,"title":284},{"id":286,"title":287},{"id":341,"title":342,"description":343,"plans":344},"DRZtt1FJQ2OW742_5ZdcOQ","Central management","\u003Cp>Centrally manage and monitor all your 0patch Agents from web-based 0patch Central\u003C/p>",[345],{"id":286,"title":287},{"id":347,"title":348,"description":349,"plans":350},"C7j04lkDSSmPT2ikq9grug","IP address allow-listing","\u003Cp>Restricting access to 0patch Central so only users connecting from approved IP addresses can use it\u003C/p>",[351],{"id":286,"title":287},{"id":353,"title":354,"description":355,"plans":356},"aLo8Rj7YQsufFNozN8C6lw","Unattended agent installation","\u003Cp>Deploy 0patch Agent remotely without user interaction\u003C/p>",[357],{"id":286,"title":287},{"id":359,"title":360,"description":361,"plans":362},"dJECbsVMSGm7_ObPWiWSDQ","Agent auto-registration","\u003Cp>0patch Agent can automatically register itself to your 0patch account\u003C/p>",[363],{"id":286,"title":287},{"id":365,"title":366,"description":367,"plans":368},"WHM0-Mj0Sr2WZ1LwhTI9Dw","Silent run","\u003Cp>0patch Agent operates entirely in the background without showing notifications or prompts to the user\u003C/p>",[369],{"id":286,"title":287},{"id":371,"title":372,"description":373,"plans":374},"Zjk5YWqcS2al2C2OTEH82w","Patching policies","\u003Cp>Select which patches are enabled for which groups of computers, and whether newly issued patches are initially enabled or disabled\u003C/p>",[375],{"id":286,"title":287},{"id":377,"title":378,"description":379,"plans":380},"DXTTXN2ITtmy-Bclo1_iKQ","Computer groups","\u003Cp>Organize your computers in groups to simplify management and apply different policies to different sets of computers\u003C/p>",[381],{"id":286,"title":287},{"id":383,"title":384,"description":385,"plans":386},"Vna1HyM9Q4-kwJshD0-4Ag","Multi user support","\u003Cp>Add any number of users to 0patch Central\u003C/p>",[387],{"id":286,"title":287},{"id":389,"title":390,"description":391,"plans":392},"MZheRUWKRHuS_M3sPAvxWw","User roles","\u003Cp>Assign different roles to 0patch Central users to limit their access\u003C/p>",[393],{"id":286,"title":287},{"id":395,"title":396,"description":397,"plans":398},"em07-dXcQ2Of2IhpZzUeDQ","Mandatory MFA","\u003Cp>Administrator can make multi factor authentication mandatory for all 0patch Central users\u003C/p>",[399],{"id":286,"title":287},{"id":401,"title":402,"description":403,"plans":404},"DJ9WqVROQWiRnUxDr8ckeQ","SAML single sign-on","\u003Cp>Login to 0patch Central through your identity provider using the SAML protocol\u003C/p>",[405],{"id":286,"title":287},{"id":407,"title":408,"description":409,"plans":410},"c73GoxWmTXS5muxHXFl3HA","SCIM provisioning","\u003Cp>Manage 0patch Central users with your identity provider using SCIM protocol\u003C/p>",[411],{"id":286,"title":287},{"id":413,"title":414,"description":415,"plans":416},"QM6mK9qtTBe5OtMWfVnvvg","Professional services","\u003Cp>Custom patches and additional professional services are available to large customers\u003C/p>",[417],{"id":286,"title":287},"patch_category","Features","T2nlr7wWS3eNfLE8hfA1ew","features","2025-12-05",{"__typename":290,"_allReferencingPatchesMeta":424,"_allReferencingPatches":426,"_modelApiKey":418,"name":504,"id":505,"slug":506,"icon":507,"supportDate":519},{"count":425},11,[427,434,441,448,455,462,469,476,483,490,497],{"id":428,"title":429,"description":430,"plans":431},"Wn-S2pccQbKHM4Qi_CFf0Q","Windows 11 22H2 patches","\u003Cp>Windows 11 22H2 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+11\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 11 patches\u003C/a>\u003C/strong>\u003C/p>",[432,433],{"id":283,"title":284},{"id":286,"title":287},{"id":435,"title":436,"description":437,"plans":438},"KLIOm9vRTpWNef0hEYPZRw","Windows 11 21H2 patches","\u003Cp>Windows 11 21H2 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+11\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 11 patches\u003C/a>\u003C/strong>\u003C/p>",[439,440],{"id":283,"title":284},{"id":286,"title":287},{"id":442,"title":443,"description":444,"plans":445},"Z-_sUVTSRcyneegSkg6tEg","Windows 10 22H2 post-EOS patches","\u003Cp>Windows 10 22H2 post-end-of-support patches, for computers without Extended Security Updates (ESU), or computers with any full year of ESU updates installed\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+10\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 10 patches\u003C/a>\u003C/strong>\u003C/p>",[446,447],{"id":283,"title":284},{"id":286,"title":287},{"id":449,"title":450,"description":451,"plans":452},"OG3314TtS_mGEWsQ7I7rVg","Windows 10 21H2 patches","\u003Cp>Windows 10 21H2 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+10\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 10 patches\u003C/a>\u003C/strong>\u003C/p>",[453,454],{"id":283,"title":284},{"id":286,"title":287},{"id":456,"title":457,"description":458,"plans":459},"d-2ES_YuR7C4QuSmcXgi0Q","Windows 10 21H1 patches","\u003Cp>Windows 10 21H1 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+10\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 10 patches\u003C/a>\u003C/strong>\u003C/p>",[460,461],{"id":283,"title":284},{"id":286,"title":287},{"id":463,"title":464,"description":465,"plans":466},"R-A6Aep1TCCVLYwFbfK3Sw","Windows 10 20H2 patches","\u003Cp>Windows 10 20H2 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+10\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 10 patches\u003C/a>\u003C/strong>\u003C/p>",[467,468],{"id":283,"title":284},{"id":286,"title":287},{"id":470,"title":471,"description":472,"plans":473},"Dg4FaK9fS8KTa1o3Qhor6w","Windows 10 2004 patches","\u003Cp>Windows 10 2004 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+10\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 10 patches\u003C/a>\u003C/strong>\u003C/p>",[474,475],{"id":286,"title":287},{"id":283,"title":284},{"id":477,"title":478,"description":479,"plans":480},"MJlLPyxqTcy9ys2UaZYNKQ","Windows 10 v1909 patches","\u003Cp>Windows 10 1909 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+10\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 10 patches\u003C/a>\u003C/strong>\u003C/p>",[481,482],{"id":283,"title":284},{"id":286,"title":287},{"id":484,"title":485,"description":486,"plans":487},"GscjCa1TQOe5p5Or7g2qyw","Windows 10 v1809 patches","\u003Cp>Windows 10 1809 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+10\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 10 patches\u003C/a>\u003C/strong>\u003C/p>",[488,489],{"id":283,"title":284},{"id":286,"title":287},{"id":491,"title":492,"description":493,"plans":494},"OeQ8xMmJTmadIiPcKYkhvw","Windows 10 v1803 patches","\u003Cp>Windows 10 1803 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+10\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows 10 patches\u003C/a>\u003C/strong>\u003C/p>",[495,496],{"id":283,"title":284},{"id":286,"title":287},{"id":498,"title":499,"description":500,"plans":501},"Obe8z8snRYGoLT6BZyzhZw","Windows 7 post-EOS and post-ESU patches","\u003Cp>Windows 7 post-end-of-support patches, for computers without Extended Security Updates (ESU), or computers with any full year of ESU updates installed\u003C/p>",[502,503],{"id":283,"title":284},{"id":286,"title":287},"Windows Patches","DXze3dvpTu-HF132vKjSug","microsoft-windows-xp",{"alt":508,"url":509,"width":510,"height":510,"responsiveImage":511},"Windows 11 logo","https://www.datocms-assets.com/166020/1764600963-win11.png",300,{"srcSet":512,"webpSrcSet":513,"sizes":514,"src":515,"width":516,"height":516,"aspectRatio":210,"alt":508,"title":18,"bgColor":517,"base64":518},"https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&fit=crop&h=40 40w,https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&dpr=1.5&fit=crop&h=40 60w,https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&dpr=2&fit=crop&h=40 80w,https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&dpr=3&fit=crop&h=40 120w,https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&dpr=4&fit=crop&h=40 160w","https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&fit=crop&fm=webp&h=40 40w,https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&dpr=1.5&fit=crop&fm=webp&h=40 60w,https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&dpr=2&fit=crop&fm=webp&h=40 80w,https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&dpr=3&fit=crop&fm=webp&h=40 120w,https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&dpr=4&fit=crop&fm=webp&h=40 160w","(max-width: 40px) 100vw, 40px","https://www.datocms-assets.com/166020/1764600963-win11.png?auto=compress&crop=focalpoint&fit=crop&h=40",40,"#0278cf","data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABgAAAAYCAMAAADXqc3KAAAA51BMVEUAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtEAdtG9HcQcAAAATXRSTlMAAQIDBAUGBwkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY4OTo7PD0+P0BBQkNERUZHSEpLTE1OTwjw0A0AAAEqSURBVHjapZHbbsMgDIZNcMwhm7ZW097/+XrTToNwSGKPkraqtN3NCAn/H8LmN4L2LxbyOcMer0cHJcYF9UhEwHQH10yWBdAa7y0MJW5dN9NkQQsgTuS9UUMNoQM/eQcaGiBjRlJMpgNljWlPrSugiABc9yOkpSKYeBhYlZR2MSUjUtJc8EKlWpXP8379QpAhxVCRc56tSvdu4VSt5NhqtHPOTxXgonpBhF+xN/IHgP8AlO1ZYu5AO08ynx/ym+UUm7sf1MF4uumfhwZCKHgg70YZuXx1cDi+W3ZEBR0Zi7wZs4/JOmdEbaxRuC3hXrA7ezW/BaZNwco57SYuuWQlpdaK37SuxPH75m4IxJBjLBjrxpVjuHWbYptHnts8Kg+at1Lv/6hVt12XH8K5sGlN/hfaAAAAAElFTkSuQmCC","2025-06-25",{"__typename":290,"_allReferencingPatchesMeta":521,"_allReferencingPatches":523,"_modelApiKey":418,"name":545,"id":546,"slug":547,"icon":548,"supportDate":519},{"count":522},3,[524,531,538],{"id":525,"title":526,"description":527,"plans":528},"DMZZcGMvQfaRElACxvHXyA","Windows Server 2012 R2 post-EOS patches","\u003Cp>Windows Server 2012 R2 post-end-of-support patches, for computers without Extended Security Updates (ESU), or computers with any full year of ESU updates installed\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+Server+2012+R2\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows Server 2012 R2 patches\u003C/a>\u003C/strong>\u003C/p>",[529,530],{"id":283,"title":284},{"id":286,"title":287},{"id":532,"title":533,"description":534,"plans":535},"ZaeezXKkT3KGln5CQ4NH9w","Windows Server 2012 post-EOS patches","\u003Cp>Windows Server 2012 post-end-of-support patches, for computers without Extended Security Updates (ESU), or computers with any full year of ESU updates installed\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+Server+2012\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows Server 2012 patches\u003C/a>\u003C/strong>\u003C/p>",[536,537],{"id":283,"title":284},{"id":286,"title":287},{"id":539,"title":540,"description":541,"plans":542},"RYxw9xwXR3-OWnsdr8dFEg","Windows Server 2008 R2 post-EOS and post-ESU patches","\u003Cp>Windows Server 2008 R2 post-end-of-support patches, for computers without Extended Security Updates (ESU), or computers with any full year of ESU updates installed\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Windows+Server+2008+R2\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Windows Server 2008 R2 patches\u003C/a>\u003C/strong>\u003C/p>",[543,544],{"id":283,"title":284},{"id":286,"title":287},"Windows Server Patches","J7WLPCrKS7i7B8sAyJpKWg","microsoft-windows-vista",{"alt":549,"url":550,"width":551,"height":510,"responsiveImage":552},"Windows Server 2012-2022 logo","https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png",296,{"srcSet":553,"webpSrcSet":554,"sizes":555,"src":556,"width":557,"height":516,"aspectRatio":558,"alt":549,"title":18,"bgColor":559,"base64":560},"https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&fit=crop&h=40 39w,https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&dpr=1.5&fit=crop&h=40 58w,https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&dpr=2&fit=crop&h=40 78w,https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&dpr=3&fit=crop&h=40 117w,https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&dpr=4&fit=crop&h=40 156w","https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&fit=crop&fm=webp&h=40 39w,https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&dpr=1.5&fit=crop&fm=webp&h=40 58w,https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&dpr=2&fit=crop&fm=webp&h=40 78w,https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&dpr=3&fit=crop&fm=webp&h=40 117w,https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&dpr=4&fit=crop&fm=webp&h=40 156w","(max-width: 39px) 100vw, 39px","https://www.datocms-assets.com/166020/1764600963-srv2012_2022.png?auto=compress&crop=focalpoint&fit=crop&h=40",39,0.975,"#0b1f8e","data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABcAAAAYCAMAAAAmopZHAAABRFBMVEUAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIgAFIis0k1eAAAAbHRSTlMAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj9AQUJDREVGR0hJSkxNTk9QUVRVVldYWVpbXF1fYWJjZGVmZ2lqa2xtbnBzdHY8yRY6AAABF0lEQVR42o2STU/EIBCGmWEodGm77sWj//+PeVAvRrNAYYY63cREs42R45PJ+xXIHD/6L0eU7Y7DZR4tl5QqGQQ0XXbql4fLHCyv11zpCRCMMIux43w5R4+yTqXSGQA24cadwuidG5C7iCG58dZaZ0ODs13vi+q8AxjltQr6VPKsOjkpf73Z9t23fn5+xICcs3L+mTOlkwcu9b5XKiCHfdXugNs4qE5WvoBFs+dRGmKMA7aSSqNHRAudWxXjwjTt92vSvguSxW0fAtw4ncYB+pprow6b0YkACIfRhxNBt+gqvVnnSKv1ze5DVIOdpQo9q7ezuoUhPy3LNFjhovoag787v8TzHEhqLvw7//VqAvXKB33L3//hC+5Cl3o2W4MJAAAAAElFTkSuQmCC",{"__typename":290,"_allReferencingPatchesMeta":562,"_allReferencingPatches":564,"_modelApiKey":418,"name":593,"id":594,"slug":595,"icon":596,"supportDate":519},{"count":563},4,[565,572,579,586],{"id":566,"title":567,"description":568,"plans":569},"axmNaLDGSs2BLTpJNU-fuQ","Microsoft Office 2019 post-EOS patches","\u003Cp>Microsoft Office 2019 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Office+2019\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Microsoft Office 2019 patches\u003C/a>\u003C/strong>\u003C/p>",[570,571],{"id":283,"title":284},{"id":286,"title":287},{"id":573,"title":574,"description":575,"plans":576},"MkFk40IJQhCcXnIO2ZDd4Q","Microsoft Office 2016 post-EOS patches","\u003Cp>Microsoft Office 2016 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Office+2016\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Microsoft Office 2016 patches\u003C/a>\u003C/strong>\u003C/p>",[577,578],{"id":283,"title":284},{"id":286,"title":287},{"id":580,"title":581,"description":582,"plans":583},"FFqWfGxfQF2q0uyjyRjVWg","Microsoft Office 2013 post-EOS patches","\u003Cp>Microsoft Office 2013 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Office+2013\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Microsoft Office 2013 patches\u003C/a>\u003C/strong>\u003C/p>",[584,585],{"id":283,"title":284},{"id":286,"title":287},{"id":587,"title":588,"description":589,"plans":590},"XFYgrsOyRpeuEXk29M4z9g","Microsoft Office 2010 post-EOS patches","\u003Cp>Microsoft Office 2010 post-end-of-support patches\u003C/p>\n\u003Cp>\u003Cstrong>\u003Ca href=\"/patches?product=Office+2010\" target=\"_blank\" rel=\"noopener\">Click to see the full list of our Microsoft Office 2010 patches\u003C/a>\u003C/strong>\u003C/p>",[591,592],{"id":283,"title":284},{"id":286,"title":287},"Microsoft Office Patches","VH2unwR4RjycDA1o_6eSFw","microsoft-windows-7",{"alt":597,"url":598,"width":510,"height":510,"responsiveImage":599},"Microsoft Office logo","https://www.datocms-assets.com/166020/1764600963-office2013_2019.png",{"srcSet":600,"webpSrcSet":601,"sizes":514,"src":602,"width":516,"height":516,"aspectRatio":210,"alt":597,"title":18,"bgColor":603,"base64":604},"https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&fit=crop&h=40 40w,https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&dpr=1.5&fit=crop&h=40 60w,https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&dpr=2&fit=crop&h=40 80w,https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&dpr=3&fit=crop&h=40 120w,https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&dpr=4&fit=crop&h=40 160w","https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&fit=crop&fm=webp&h=40 40w,https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&dpr=1.5&fit=crop&fm=webp&h=40 60w,https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&dpr=2&fit=crop&fm=webp&h=40 80w,https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&dpr=3&fit=crop&fm=webp&h=40 120w,https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&dpr=4&fit=crop&fm=webp&h=40 160w","https://www.datocms-assets.com/166020/1764600963-office2013_2019.png?auto=compress&crop=focalpoint&fit=crop&h=40","#eb3c00","data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABgAAAAYCAMAAADXqc3KAAABSlBMVEXqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPADqPAAMDLSTAAAAbnRSTlMAAQIDBAUGBwgJCgsMDQ4PEBESExQVFhcYGRobHB0eHyAiIyQlJicoKSorLS4vMTIzNDU2Nzk6Ozw9P0BBQkNERkpMTU5PUFFSVVZXWVpbXF1eX2BhYmNkZmdoaWpsbW5vcHFzdXZ4fH5/gIKDhBdTJiUAAAERSURBVHjabdE5doQwDAZgSV6AwMsU06TN/e+TM6SfyeBNUsALTeKGhz7wL8sWzoU21yd8fN6Xn++vAGDruzcdyFhjrBuAK0mo4Kz3PL89OrxvyA0s+Un9Cg38bZPUtrLOmXleUSvctrk4W1obZHVZtscJ0zo5Ral1FsAjfG7gDCo3iLmIknU1w4BybtnwyqmAaAsXzhhfDZ4hMjJrhVwy7B1iiIWycIPktO90flWIz8ATctY8QERQtQEUVh6ARIjQT86Mow7OGDqsg+IQcs4CjT8KXzB7Rwraujo6Qe3g7TEF4dTHHmGEGwKVFF4ddkhXu8yxjqFd7T7qzDmG9LzgWqWkuO//QS4xhf0viDJzvctfA1KXpEpvxgMAAAAASUVORK5CYII=",{"__typename":290,"_allReferencingPatchesMeta":606,"_allReferencingPatches":607,"_modelApiKey":418,"name":614,"id":615,"slug":616,"icon":617,"supportDate":519},{"count":210},[608],{"id":609,"title":610,"description":611,"plans":612},"OuJP-mYgRRi-wc8RTcRbUg","Other products patches","\u003Cp>We occasionally patch other Windows products, for instance when a critical vulnerability becomes known and the vendor does not provide an official patch in a timely manner\u003C/p>",[613],{"id":283,"title":284},"Other","BrWA-hAsQYSROgTvF-1ecA","microsoft-windows-11",{"alt":618,"url":619,"width":620,"height":621,"responsiveImage":18},"Windows 7","https://www.datocms-assets.com/166020/1754390080-layer1.svg",44,38,[623,628,632,636,640,644,648,652,656,660],{"__typename":624,"id":625,"name":626,"slug":627},"CountryRecord","WYcngTKjTLSCPKXF1CGc3Q","Germany","germany",{"__typename":624,"id":629,"name":630,"slug":631},"W7K_V8xIQ4esd1pdctvLRg","Switzerland","switzerland",{"__typename":624,"id":633,"name":634,"slug":635},"YCAHqeAMSp2PAVyP3KGV4w","International","international",{"__typename":624,"id":637,"name":638,"slug":639},"IKNwlfjMQXOfKhtUID30BQ","Singapore","singapore",{"__typename":624,"id":641,"name":642,"slug":643},"UzXo_gH5Te-UnOfNwdsfWQ","Netherlands","netherlands",{"__typename":624,"id":645,"name":646,"slug":647},"JKw7Q4wpQ8eGJjvHXwfSAA","Spain","spain",{"__typename":624,"id":649,"name":650,"slug":651},"RZbGpAInTEivnMxZzdTzwg","Poland","poland",{"__typename":624,"id":653,"name":654,"slug":655},"NwnHmUQ6RIK_OV9865XH3Q","Australia","australia",{"__typename":624,"id":657,"name":658,"slug":659},"HfVwBnHDSfCassEtkYx9lQ","United Kingdom","united-kingdom",{"__typename":624,"id":661,"name":662,"slug":663},"UUYGwDAYR4qLZM5UmDcmVA","USA","usa",[665,670],{"__typename":666,"id":667,"name":668,"slug":669},"PartnerCategoryRecord","dQoYak16SOaHi1odGdVqmQ","MSPs & SOCs","msps-socs",{"__typename":666,"id":671,"name":672,"slug":673},"REE7lMU8RzC9jabDARcxYQ","Resellers & Distributors","resellers-distributors",{"id":675,"_modelApiKey":676,"__typename":677,"text":678,"link":679,"menuLinks":687},"WnQYb8xeS2irpBJ41pdDRA","top_bar","TopBarRecord","Micropatches released for Windows Netlogon Remote Code Execution Vulnerability (CVE-2026-41089)",[680],{"externalLink":40,"id":681,"recordLink":682,"variant":12,"icon":685,"title":686},"K2tgUizORgyofhnuTJ36dA",{"__typename":683,"_modelApiKey":77,"slug":684},"ArticleRecord","micropatches-released-for-windows-netlogon-remote-code-execution-vulnerability-cv",false,"Learn more",[688,691],{"id":689,"primary":685,"externalLink":95,"parent":18,"reference":18,"title":690,"description":40,"publishTranslation":42},"B1pEweRaRD2YBkP6aH1CfA","Help center",{"id":692,"primary":42,"externalLink":693,"parent":18,"reference":18,"title":694,"description":40,"publishTranslation":42},"Mk0Yz-yqTk2akShgf7ARNg","https://central.0patch.com/","Sign in",[696,700],{"id":697,"title":698,"url":699},"NDrk5d4kQ96J2aCuTr-gvg","0patch on X","https://twitter.com/0patch",{"id":701,"title":702,"url":703},"GqN4lYxyTMyzcmRllVY4mg","Linked In","https://linkedin.com/company/0patch",{"left":705,"top":705,"width":706,"height":706,"rotate":705,"vFlip":685,"hFlip":685,"body":707},0,24,"\u003Cg fill=\"none\">\u003Cpath d=\"M11.9999 15.0539L6.34619 9.40013L7.39994 8.34637L11.9999 12.9464L16.5999 8.34637L17.6537 9.40013L11.9999 15.0539Z\" fill=\"currentColor\"/>\u003C/g>",{"left":705,"top":705,"width":706,"height":706,"rotate":705,"vFlip":685,"hFlip":685,"body":709},"\u003Cg fill=\"none\">\u003Cpath d=\"M9.5501 18.0001L3.8501 12.3001L5.2751 10.8751L9.5501 15.1501L18.7251 5.9751L20.1501 7.4001L9.5501 18.0001Z\" fill=\"currentColor\"/>\u003C/g>",{"left":705,"top":705,"width":706,"height":706,"rotate":705,"vFlip":685,"hFlip":685,"body":711},"\u003Cg fill=\"none\">\u003Cpath d=\"M5.55375 19.5001L4.5 18.4464L15.9462 7.00012H9V5.50012H18.5V15.0001H17V8.05387L5.55375 19.5001Z\" fill=\"currentColor\"/>\u003C/g>",{"article":713},{"_firstPublishedAt":714,"_publishedAt":715,"_updatedAt":716,"_seoMetaTags":717,"_allSlugLocales":783,"_allPublishTranslationLocales":786,"published":788,"__typename":683,"_modelApiKey":77,"author":789,"createdAt":790,"id":791,"excerpt":40,"body":792,"image":1224,"readTime":40,"title":720,"slug":785,"publishTranslation":42,"seoMetadata":18},"2025-08-21T14:30:24+02:00","2026-05-29T15:32:25+02:00","2026-05-29T15:32:22+02:00",[718,721,725,728,732,735,738,742,746,750,753,756,759,762,765,768,772,775,779],{"tag":719,"attributes":18,"content":720},"title","Another Task Scheduler 0day, Another Task Scheduler Micropatch (The SandboxEscaper Saga)",{"tag":722,"attributes":723,"content":18},"meta",{"property":724,"content":720},"og:title",{"tag":722,"attributes":726,"content":18},{"name":727,"content":720},"twitter:title",{"tag":722,"attributes":729,"content":18},{"name":730,"content":731},"description","This is a 0patch website.",{"tag":722,"attributes":733,"content":18},{"property":734,"content":731},"og:description",{"tag":722,"attributes":736,"content":18},{"name":737,"content":731},"twitter:description",{"tag":722,"attributes":739,"content":18},{"property":740,"content":741},"og:image","https://www.datocms-assets.com/166020/1755779416-polar_bear_2339577.jpg?auto=format&fit=max&w=1200",{"tag":722,"attributes":743,"content":18},{"property":744,"content":745},"og:image:width","640",{"tag":722,"attributes":747,"content":18},{"property":748,"content":749},"og:image:height","300",{"tag":722,"attributes":751,"content":18},{"property":752,"content":720},"og:image:alt",{"tag":722,"attributes":754,"content":18},{"name":755,"content":741},"twitter:image",{"tag":722,"attributes":757,"content":18},{"name":758,"content":720},"twitter:image:alt",{"tag":722,"attributes":760,"content":18},{"property":761,"content":32},"og:locale",{"tag":722,"attributes":763,"content":18},{"property":764,"content":77},"og:type",{"tag":722,"attributes":766,"content":18},{"property":767,"content":6},"og:site_name",{"tag":722,"attributes":769,"content":18},{"property":770,"content":771},"article:modified_time","2026-05-29T13:32:22Z",{"tag":722,"attributes":773,"content":18},{"property":774,"content":40},"article:publisher",{"tag":722,"attributes":776,"content":18},{"name":777,"content":778},"twitter:card","summary",{"tag":722,"attributes":780,"content":18},{"name":781,"content":782},"robots","noindex",[784],{"value":785,"locale":32},"another-task-scheduler-0day-another",[787],{"value":42,"locale":32},"2019-06-04T13:43:00+02:00","Mitja Kolsek","2025-08-21T14:30:23+02:00","Ef5mpUXMSOSaRRou5EPTxQ",{"blocks":793,"links":912,"value":913},[794,810,824,832,846,860,873,887,899],{"id":795,"_modelApiKey":796,"__typename":797,"image":798},"DLyv7Y6CQO-KSxFB632Yxw","image","ImageRecord",{"alt":799,"url":800,"width":801,"height":802,"responsiveImage":803},"processmonitor_setsecurity_calls","https://www.datocms-assets.com/166020/1757416995-processmonitor_setsecurity_calls.png",601,342,{"srcSet":804,"webpSrcSet":805,"sizes":806,"src":800,"width":801,"height":802,"aspectRatio":807,"alt":799,"title":799,"bgColor":808,"base64":809},"https://www.datocms-assets.com/166020/1757416995-processmonitor_setsecurity_calls.png?dpr=0.25 150w,https://www.datocms-assets.com/166020/1757416995-processmonitor_setsecurity_calls.png?dpr=0.5 300w,https://www.datocms-assets.com/166020/1757416995-processmonitor_setsecurity_calls.png?dpr=0.75 450w,https://www.datocms-assets.com/166020/1757416995-processmonitor_setsecurity_calls.png 601w","https://www.datocms-assets.com/166020/1757416995-processmonitor_setsecurity_calls.png?dpr=0.25&fm=webp 150w,https://www.datocms-assets.com/166020/1757416995-processmonitor_setsecurity_calls.png?dpr=0.5&fm=webp 300w,https://www.datocms-assets.com/166020/1757416995-processmonitor_setsecurity_calls.png?dpr=0.75&fm=webp 450w,https://www.datocms-assets.com/166020/1757416995-processmonitor_setsecurity_calls.png?fm=webp 601w","(max-width: 601px) 100vw, 601px",1.7573099415204678,"#fefe00","data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHBwgHBgoICAgFCgoFBQwFBQUFBREJCgUMFxMZGBYTFhUaHysjGh0oHRUWJDUlKC0vMjIyGSI4PTcwPCsxMi8BCgsLBQUFEAUFEC8cFhwvLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vL//AABEIAA4AGAMBIgACEQEDEQH/xAAVAAEBAAAAAAAAAAAAAAAAAAAAB//EABQQAQAAAAAAAAAAAAAAAAAAAAD/xAAWAQADAAAAAAAAAAAAAAAAAAAAAQP/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwCpAGkAAP/Z",{"id":811,"_modelApiKey":796,"__typename":797,"image":812},"Nw7_Qjr-TWuGliNShbdIqg",{"alt":813,"url":814,"width":815,"height":816,"responsiveImage":817},"processmonitor_first_setsecurity_callstack","https://www.datocms-assets.com/166020/1757416994-processmonitor_first_setsecurity_callstack.png",546,573,{"srcSet":818,"webpSrcSet":819,"sizes":820,"src":814,"width":815,"height":816,"aspectRatio":821,"alt":813,"title":813,"bgColor":822,"base64":823},"https://www.datocms-assets.com/166020/1757416994-processmonitor_first_setsecurity_callstack.png?dpr=0.25 136w,https://www.datocms-assets.com/166020/1757416994-processmonitor_first_setsecurity_callstack.png?dpr=0.5 273w,https://www.datocms-assets.com/166020/1757416994-processmonitor_first_setsecurity_callstack.png?dpr=0.75 409w,https://www.datocms-assets.com/166020/1757416994-processmonitor_first_setsecurity_callstack.png 546w","https://www.datocms-assets.com/166020/1757416994-processmonitor_first_setsecurity_callstack.png?dpr=0.25&fm=webp 136w,https://www.datocms-assets.com/166020/1757416994-processmonitor_first_setsecurity_callstack.png?dpr=0.5&fm=webp 273w,https://www.datocms-assets.com/166020/1757416994-processmonitor_first_setsecurity_callstack.png?dpr=0.75&fm=webp 409w,https://www.datocms-assets.com/166020/1757416994-processmonitor_first_setsecurity_callstack.png?fm=webp 546w","(max-width: 546px) 100vw, 546px",0.9528795811518325,"#0000ff","data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHBwgHBgoICAgFCgoFBQwFBQUFBREJCgUMFxMZGBYTFhUaHysjGh0oHRUWJDUlKC0vMjIyGSI4PTcwPCsxMi8BCgsLBQUFEAUFEC8cFhwvLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vL//AABEIABkAFwMBIgACEQEDEQH/xAAVAAEBAAAAAAAAAAAAAAAAAAAAB//EABQQAQAAAAAAAAAAAAAAAAAAAAD/xAAVAQEBAAAAAAAAAAAAAAAAAAAAAv/EABQRAQAAAAAAAAAAAAAAAAAAAAD/2gAMAwEAAhEDEQA/AKqApIAAAAAD/9k=",{"id":825,"_modelApiKey":796,"__typename":797,"image":826},"MqVFzB2fSsOyyaUdccw7Xw",{"alt":827,"url":828,"width":815,"height":816,"responsiveImage":829},"processmonitor_second_setsecurity_callstack","https://www.datocms-assets.com/166020/1757416994-processmonitor_second_setsecurity_callstack.png",{"srcSet":830,"webpSrcSet":831,"sizes":820,"src":828,"width":815,"height":816,"aspectRatio":821,"alt":827,"title":827,"bgColor":822,"base64":823},"https://www.datocms-assets.com/166020/1757416994-processmonitor_second_setsecurity_callstack.png?dpr=0.25 136w,https://www.datocms-assets.com/166020/1757416994-processmonitor_second_setsecurity_callstack.png?dpr=0.5 273w,https://www.datocms-assets.com/166020/1757416994-processmonitor_second_setsecurity_callstack.png?dpr=0.75 409w,https://www.datocms-assets.com/166020/1757416994-processmonitor_second_setsecurity_callstack.png 546w","https://www.datocms-assets.com/166020/1757416994-processmonitor_second_setsecurity_callstack.png?dpr=0.25&fm=webp 136w,https://www.datocms-assets.com/166020/1757416994-processmonitor_second_setsecurity_callstack.png?dpr=0.5&fm=webp 273w,https://www.datocms-assets.com/166020/1757416994-processmonitor_second_setsecurity_callstack.png?dpr=0.75&fm=webp 409w,https://www.datocms-assets.com/166020/1757416994-processmonitor_second_setsecurity_callstack.png?fm=webp 546w",{"id":833,"_modelApiKey":796,"__typename":797,"image":834},"Hs3iqJZPRJ26FkllhixbWA",{"alt":835,"url":836,"width":837,"height":838,"responsiveImage":839},"schrpcsetsecurity_specs","https://www.datocms-assets.com/166020/1757416994-schrpcsetsecurity_specs.png",552,71,{"srcSet":840,"webpSrcSet":841,"sizes":842,"src":836,"width":837,"height":838,"aspectRatio":843,"alt":835,"title":835,"bgColor":844,"base64":845},"https://www.datocms-assets.com/166020/1757416994-schrpcsetsecurity_specs.png?dpr=0.25 138w,https://www.datocms-assets.com/166020/1757416994-schrpcsetsecurity_specs.png?dpr=0.5 276w,https://www.datocms-assets.com/166020/1757416994-schrpcsetsecurity_specs.png?dpr=0.75 414w,https://www.datocms-assets.com/166020/1757416994-schrpcsetsecurity_specs.png 552w","https://www.datocms-assets.com/166020/1757416994-schrpcsetsecurity_specs.png?dpr=0.25&fm=webp 138w,https://www.datocms-assets.com/166020/1757416994-schrpcsetsecurity_specs.png?dpr=0.5&fm=webp 276w,https://www.datocms-assets.com/166020/1757416994-schrpcsetsecurity_specs.png?dpr=0.75&fm=webp 414w,https://www.datocms-assets.com/166020/1757416994-schrpcsetsecurity_specs.png?fm=webp 552w","(max-width: 552px) 100vw, 552px",7.774647887323944,"#ffa747","data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHBwgHBgoICAgFCgoFBQwFBQUFBREJCgUMFxMZGBYTFhUaHysjGh0oHRUWJDUlKC0vMjIyGSI4PTcwPCsxMi8BCgsLBQUFEAUFEC8cFhwvLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vL//AABEIAAQAGAMBIgACEQEDEQH/xAAVAAEBAAAAAAAAAAAAAAAAAAAAB//EABQQAQAAAAAAAAAAAAAAAAAAAAD/xAAVAQEBAAAAAAAAAAAAAAAAAAACAP/EABQRAQAAAAAAAAAAAAAAAAAAAAD/2gAMAwEAAhEDEQA/AK8AQgCT/9k=",{"id":847,"_modelApiKey":796,"__typename":797,"image":848},"Qkq3rqXeS8e-Gqqx0F_Hcg",{"alt":849,"url":850,"width":851,"height":852,"responsiveImage":853},"ida_patchlet_1","https://www.datocms-assets.com/166020/1757416995-ida_patchlet_1.png",1460,501,{"srcSet":854,"webpSrcSet":855,"sizes":856,"src":850,"width":851,"height":852,"aspectRatio":857,"alt":849,"title":849,"bgColor":858,"base64":859},"https://www.datocms-assets.com/166020/1757416995-ida_patchlet_1.png?dpr=0.25 365w,https://www.datocms-assets.com/166020/1757416995-ida_patchlet_1.png?dpr=0.5 730w,https://www.datocms-assets.com/166020/1757416995-ida_patchlet_1.png?dpr=0.75 1095w,https://www.datocms-assets.com/166020/1757416995-ida_patchlet_1.png 1460w","https://www.datocms-assets.com/166020/1757416995-ida_patchlet_1.png?dpr=0.25&fm=webp 365w,https://www.datocms-assets.com/166020/1757416995-ida_patchlet_1.png?dpr=0.5&fm=webp 730w,https://www.datocms-assets.com/166020/1757416995-ida_patchlet_1.png?dpr=0.75&fm=webp 1095w,https://www.datocms-assets.com/166020/1757416995-ida_patchlet_1.png?fm=webp 1460w","(max-width: 1460px) 100vw, 1460px",2.914171656686627,"#ffaa00","data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHBwgHBgoICAgLCgoLDhgcDg0NGikVGhUdHSslGBYTFhUeHysjJh0oHRUWJDUlKC0vMjIyGSU4PTcwPCsxMi8BCgsLDg0CHBAQEC8oIig7Ozs7Ozs7Ozs7Ozs1Ozs7Lzs7Oy87Oy8vOy8vNS81Ly87Ozs7Ly81Ly81Oy8vLy8vL//AABEIAAkAGAMBIgACEQEDEQH/xAAZAAABBQAAAAAAAAAAAAAAAAACAAEEBQb/xAAgEAACAgEDBQAAAAAAAAAAAAABAgAEAxE0cRMhMTIz/8QAFQEBAQAAAAAAAAAAAAAAAAAABgX/xAAcEQACAgIDAAAAAAAAAAAAAAABAwACFSMFFjP/2gAMAwEAAhEDEQA/ANgLFsvqqxstq71FDA+ZOw+0Gz9FhW6WdnG+0tBtcP5iW2Eu9FS476RQhtF4ijFNCOJANyYRe0Zs6xP/2Q==",{"id":861,"_modelApiKey":796,"__typename":797,"image":862},"Xn9Ki-wiQ7O9Cn4d36pfNw",{"alt":863,"url":864,"width":865,"height":866,"responsiveImage":867},"ida_patchlet_2","https://www.datocms-assets.com/166020/1757416994-ida_patchlet_2.png",1508,485,{"srcSet":868,"webpSrcSet":869,"sizes":870,"src":864,"width":865,"height":866,"aspectRatio":871,"alt":863,"title":863,"bgColor":858,"base64":872},"https://www.datocms-assets.com/166020/1757416994-ida_patchlet_2.png?dpr=0.25 377w,https://www.datocms-assets.com/166020/1757416994-ida_patchlet_2.png?dpr=0.5 754w,https://www.datocms-assets.com/166020/1757416994-ida_patchlet_2.png?dpr=0.75 1131w,https://www.datocms-assets.com/166020/1757416994-ida_patchlet_2.png 1508w","https://www.datocms-assets.com/166020/1757416994-ida_patchlet_2.png?dpr=0.25&fm=webp 377w,https://www.datocms-assets.com/166020/1757416994-ida_patchlet_2.png?dpr=0.5&fm=webp 754w,https://www.datocms-assets.com/166020/1757416994-ida_patchlet_2.png?dpr=0.75&fm=webp 1131w,https://www.datocms-assets.com/166020/1757416994-ida_patchlet_2.png?fm=webp 1508w","(max-width: 1508px) 100vw, 1508px",3.109278350515464,"data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHBwgHBgoICAgLEgoLDhUVCw0WDhMVFhYSFysoGBYVFiEqHysjGh0oHRUWJDUlKC0vMjIyGSI4PTcwPCsxMi8BCgsLDg0CHBAQEC8oIig7Ozs7Ozs7Ozs7Ozs7Ozs7Lzs7Oy87Oy87Oy8vOy8vLzs1Ly87NS8vLy87LzUvLy81L//AABEIAAgAGAMBIgACEQEDEQH/xAAXAAEAAwAAAAAAAAAAAAAAAAAAAQUG/8QAHBAAAgICAwAAAAAAAAAAAAAAAAIBBAMyERQh/8QAFQEBAQAAAAAAAAAAAAAAAAAABgX/xAAgEQABAwIHAAAAAAAAAAAAAAABAAMRApEFBhIVIiMl/9oADAMBAAIRAxEAPwDbRduxqTF2+zrDABSXDmQS9VdXqtAwg9YV6uRurDZI94AA0Zb8gTUUQfcG8ngF/9k=",{"id":874,"_modelApiKey":796,"__typename":797,"image":875},"Ed5LD6waTG-UWu9wmwe_xg",{"alt":876,"url":877,"width":878,"height":879,"responsiveImage":880},"processmonitor_after_patch","https://www.datocms-assets.com/166020/1757416994-processmonitor_after_patch.png",621,779,{"srcSet":881,"webpSrcSet":882,"sizes":883,"src":877,"width":878,"height":879,"aspectRatio":884,"alt":876,"title":876,"bgColor":885,"base64":886},"https://www.datocms-assets.com/166020/1757416994-processmonitor_after_patch.png?dpr=0.25 155w,https://www.datocms-assets.com/166020/1757416994-processmonitor_after_patch.png?dpr=0.5 310w,https://www.datocms-assets.com/166020/1757416994-processmonitor_after_patch.png?dpr=0.75 465w,https://www.datocms-assets.com/166020/1757416994-processmonitor_after_patch.png 621w","https://www.datocms-assets.com/166020/1757416994-processmonitor_after_patch.png?dpr=0.25&fm=webp 155w,https://www.datocms-assets.com/166020/1757416994-processmonitor_after_patch.png?dpr=0.5&fm=webp 310w,https://www.datocms-assets.com/166020/1757416994-processmonitor_after_patch.png?dpr=0.75&fm=webp 465w,https://www.datocms-assets.com/166020/1757416994-processmonitor_after_patch.png?fm=webp 621w","(max-width: 621px) 100vw, 621px",0.7971758664955071,"#ff0029","data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHBwgHBgoICAgFCgoFBQwFBQUFBREJCgUMFxMZGBYTFhUaHysjGh0oHRUWJDUlKC0vMjIyGSI4PTcwPCsxMi8BCgsLBQUFEAUFEC8cFhwvLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vL//AABEIABgAEwMBIgACEQEDEQH/xAAVAAEBAAAAAAAAAAAAAAAAAAAAB//EABQQAQAAAAAAAAAAAAAAAAAAAAD/xAAVAQEBAAAAAAAAAAAAAAAAAAAAAv/EABQRAQAAAAAAAAAAAAAAAAAAAAD/2gAMAwEAAhEDEQA/AK0ApQAAAAAD/9k=",{"id":888,"_modelApiKey":889,"__typename":890,"video":891},"TzNhEeT8Qqyzlool11EfWg","video_external","VideoExternalRecord",{"url":892,"title":893,"thumbnailUrl":894,"height":895,"provider":896,"providerUid":897,"width":898},"https://www.youtube.com/watch?v=c9vQJoeJDA8","0patching the \"BearLPE\" local privilege escalation 0day in Task Scheduler","https://i.ytimg.com/vi/c9vQJoeJDA8/hqdefault.jpg",113,"youtube","c9vQJoeJDA8",200,{"id":900,"_modelApiKey":796,"__typename":797,"image":901},"ND_AjN8hTzurgBzA77OENQ",{"alt":902,"url":903,"width":904,"height":905,"responsiveImage":906},"vuln_5172_no-cve_bearlpe_patchcard","https://www.datocms-assets.com/166020/1757417170-vuln_5172_no-cve_bearlpe_patchcard_twitter_506x253.png",640,320,{"srcSet":907,"webpSrcSet":908,"sizes":909,"src":903,"width":904,"height":905,"aspectRatio":228,"alt":902,"title":902,"bgColor":910,"base64":911},"https://www.datocms-assets.com/166020/1757417170-vuln_5172_no-cve_bearlpe_patchcard_twitter_506x253.png?dpr=0.25 160w,https://www.datocms-assets.com/166020/1757417170-vuln_5172_no-cve_bearlpe_patchcard_twitter_506x253.png?dpr=0.5 320w,https://www.datocms-assets.com/166020/1757417170-vuln_5172_no-cve_bearlpe_patchcard_twitter_506x253.png?dpr=0.75 480w,https://www.datocms-assets.com/166020/1757417170-vuln_5172_no-cve_bearlpe_patchcard_twitter_506x253.png 640w","https://www.datocms-assets.com/166020/1757417170-vuln_5172_no-cve_bearlpe_patchcard_twitter_506x253.png?dpr=0.25&fm=webp 160w,https://www.datocms-assets.com/166020/1757417170-vuln_5172_no-cve_bearlpe_patchcard_twitter_506x253.png?dpr=0.5&fm=webp 320w,https://www.datocms-assets.com/166020/1757417170-vuln_5172_no-cve_bearlpe_patchcard_twitter_506x253.png?dpr=0.75&fm=webp 480w,https://www.datocms-assets.com/166020/1757417170-vuln_5172_no-cve_bearlpe_patchcard_twitter_506x253.png?fm=webp 640w","(max-width: 640px) 100vw, 640px","#ffc304","data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHBwgHBhMMCAgLCQ0KDhgQDQcODR0NFhENFyIZGBYTIhUaHysjGh0oHRUWJDUlKC0vMjIyGSI4PTcwPCsxMi8BCgsLDg0OHA4QHC8oFig7OzsvLy87Oy8vLy87LzsvLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vL//AABEIAAwAGAMBIgACEQEDEQH/xAAXAAADAQAAAAAAAAAAAAAAAAABAgMG/8QAHRAAAQQCAwAAAAAAAAAAAAAAAAECAwQTMRIhUf/EABYBAQEBAAAAAAAAAAAAAAAAAAUGA//EAB0RAAEEAgMAAAAAAAAAAAAAAAMAARIxETICBCL/2gAMAwEAAhEDEQA/AN5VgTEVdXZx2SruXHsZzl9IrplHDVMEZ82lswtZCEax3AAPMQc38rbhLFr/2Q==",[],{"schema":914,"document":915},"dast",{"type":916,"children":917},"root",[918,972,977,1000,1044,1048,1050,1054,1055,1056,1082,1083,1110,1111,1115,1119,1123,1124,1128,1129,1133,1134,1154,1174,1185,1186],{"type":919,"children":920},"paragraph",[921,926,928,937,939,946,948,955,957,964,966,970],{"type":922,"marks":923,"value":925},"span",[924],"strong","Backward Compatibility is Hard, and so is Stacked Impersonation",{"type":922,"value":927},"\n\n[Update 6/12/2019: Yesterday's Windows Updates include a fix for this vulnerability, 12 days after our micropatch has been released. The issue was assigned CVE-2019-1069.]\n\nLast August ",{"url":929,"meta":930,"type":12,"children":934},"https://blog.0patch.com/2018/08/how-we-micropatched-publicly-dropped.html",[931],{"id":932,"value":933},"target","_blank",[935],{"type":922,"value":936},"we issued a micropatch",{"type":922,"value":938}," for a local privilege escalation 0day in Task Scheduler, published by ",{"url":940,"meta":941,"type":12,"children":943},"http://sandboxescaper.blogspot.com/",[942],{"id":932,"value":933},[944],{"type":922,"value":945},"SandboxEscaper",{"type":922,"value":947},". The vulnerability allowed a local attacker on a Windows machine to change permissions of any chosen file, including system executables, such that the attacker would subsequently be able to modify that file. This obviously allowed for privilege escalation, although many system files can't be changed even with suitable permissions either due to being owned by TrustedInstaller or due to being in use. Nevertheless, at least one such file can always be found.\n\nFast forward to last week. ",{"url":949,"meta":950,"type":12,"children":952},"https://arstechnica.com/information-technology/2019/05/serial-publisher-of-windows-0days-drops-exploits-for-3-more-unfixed-flaws/",[951],{"id":932,"value":933},[953],{"type":922,"value":954},"SandboxEscaper has dropped three Windows 0days",{"type":922,"value":956},", one of which is again a local privilege escalation in Task Scheduler. We tested it and it worked on a fully patched Windows 10 machine. ",{"url":958,"meta":959,"type":12,"children":961},"https://www.kb.cert.org/vuls/id/119704/",[960],{"id":932,"value":933},[962],{"type":922,"value":963},"According to Will Dormann of CERT/CC",{"type":922,"value":965},", the exploit \"",{"type":922,"marks":967,"value":969},[968],"emphasis","functions reliably on 32- and 64-bit Windows 10 platforms, as well as Windows Server 2016 and Windows Server 2019. While Windows 8 still contains this vulnerability, exploitation using the publicly-described technique is limited to files where the current user has write access, in our testing. As such, the impact on Windows 8 systems using the technique used by the public exploit appears to be negligible. We have not been able to demonstrate the vulnerability on Windows 7 systems.",{"type":922,"value":971},"\"\n\n\n",{"type":973,"level":228,"children":974},"heading",[975],{"type":922,"value":976},"Analysis",{"type":919,"children":978},[979,981,984,986,989,991,994,996,998],{"type":922,"value":980},"\nAnalysis always starts with reproducing the POC.  It comes as a Windows executable that takes two arguments, username and password of a local low-privileged user. Let's see what it does when we run it as a low-privileged user test:\n\n\nC:\\Temp\\Vuln-5172_bearlpe\\Exploit>",{"type":922,"marks":982,"value":983},[924],"whoami",{"type":922,"value":985},"\n0p-win-10-ent-3\\test\n\n\nC:\\Temp\\Vuln-5172_bearlpe\\Exploit>",{"type":922,"marks":987,"value":988},[924],"icacls \"c:\\Windows\\system32\\drivers\\pci.sys\"",{"type":922,"value":990},"\nc:\\Windows\\system32\\drivers\\pci.sys NT AUTHORITY\\SYSTEM:(I)(F)\n                                    BUILTIN\\Administrators:(I)(F)\n                                    BUILTIN\\Users:(I)(RX)\n                                    APPLICATION PACKAGE AUTHORITY\\ALL APPLICATION PACKAGES:(I)(RX)\n                                    APPLICATION PACKAGE AUTHORITY\\ALL RESTRICTED APP PACKAGES:(I)(RX)\n\nSuccessfully processed 1 files; Failed processing 0 files\n\n\nC:\\Temp\\Vuln-5172_bearlpe\\Exploit>",{"type":922,"marks":992,"value":993},[924],"polarbear.exe test test",{"type":922,"value":995},"\nSUCCESS: The parameters of scheduled task \"bear\" have been changed.\nSUCCESS: The parameters of scheduled task \"bear\" have been changed.\n\n\nC:\\Temp\\Vuln-5172_bearlpe\\Exploit>",{"type":922,"marks":997,"value":988},[924],{"type":922,"value":999},"\nc:\\Windows\\system32\\drivers\\pci.sys NT AUTHORITY\\SYSTEM:(Rc,S,X,RA)\n                                    0P-WIN-10-ENT-3\\test:(R)\n                                    BUILTIN\\Administrators:(I)(R,W,D,WDAC,WO)\n                                    NT AUTHORITY\\SYSTEM:(I)(R,W,D,WDAC,WO)\n                                    0P-WIN-10-ENT-3\\test:(I)(F)\n                             \nSuccessfully processed 1 files; Failed processing 0 files\n\n\nObviously, the POC was able to change permissions on pci.sys. Furthermore, in contrast to the last year's Task Scheduler 0day we had micropatched, this one also changed the ownership of the target file; not being owned by TrustedInstaller any more, pci.sys could be modified freely by the attacker.\n\nIts operation is fairly simple; when launched with credentials of a low-privileged user test with password test, the POC performs these steps (as seen from its source code):\n\n",{"type":1001,"style":1002,"children":1003},"list","numbered",[1004,1011,1017,1023,1038],{"type":1005,"children":1006},"listItem",[1007],{"type":919,"children":1008},[1009],{"type":922,"value":1010},"Copy file bear.job to c:\\windows\\tasks\\bear.job",{"type":1005,"children":1012},[1013],{"type":919,"children":1014},[1015],{"type":922,"value":1016},"Execute schtasks.exe /change /TN \\\"bear\\\" /RU test /RP test\n(This instructs Task Scheduler to take bear.job created above and create a new scheduled tasks - resulting in a new file c:\\windows\\system32\\tasks\\Bear. Note that a legacy schtasks.exe from Windows XP is used, which uses legacy RPC interface for that.)",{"type":1005,"children":1018},[1019],{"type":919,"children":1020},[1021],{"type":922,"value":1022},"Delete  c:\\windows\\system32\\tasks\\Bear.",{"type":1005,"children":1024},[1025],{"type":919,"children":1026},[1027,1029,1036],{"type":922,"value":1028},"Create a ",{"url":1030,"meta":1031,"type":12,"children":1033},"https://docs.microsoft.com/en-us/windows/desktop/fileio/hard-links-and-junctions",[1032],{"id":932,"value":933},[1034],{"type":922,"value":1035},"hard link",{"type":922,"value":1037}," c:\\windows\\system32\\tasks\\Bear, pointing to system file c:\\windows\\system32\\drivers\\pci.sys.",{"type":1005,"children":1039},[1040],{"type":919,"children":1041},[1042],{"type":922,"value":1043},"Again, execute schtasks.exe /change /TN \\\"bear\\\" /RU test /RP test\n(This time, since the task already exists, Task Scheduler sets full permissions and ownership for user test on the task file. Since the task file is actually a hard link to pci.sys, it apparently changes permissions and ownership on that file.)",{"type":919,"children":1045},[1046],{"type":922,"value":1047},"\nObserving operations against c:\\windows\\system32\\tasks\\Bear with Process Monitor during POC execution told us more:\n",{"item":795,"type":1049},"block",{"type":919,"children":1051},[1052],{"type":922,"value":1053},"\n\n\n\n\nApparently, there were two SetSecurityFile operations performed on the file, with the following call stacks:\n\n",{"item":811,"type":1049},{"item":825,"type":1049},{"type":919,"children":1057},[1058,1060,1067,1069,1072,1074,1080],{"type":922,"value":1059},"\n\n\n\n\n\nBoth of these SetSecurityFile operations stem from function ",{"url":1061,"meta":1062,"type":12,"children":1064},"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/a8172c11-a24a-4ad9-abd0-82bcf29d794d",[1063],{"id":932,"value":933},[1065],{"type":922,"value":1066},"_SchRpcSetSecurity",{"type":922,"value":1068}," in schedsvc.dll, and based on our prior experience with Task Manager's impersonation issues we assumed this function was responsible for calling SetSecurityInfo without proper impersonation. Next step: debugger.\n\nWe set a breakpoint at _SchRpcSetSecurity and traced its execution towards the call to SetSecurityInfo - its first call being made from function SetJobFileSecurityByName. Therein, before the call to SetSecurityInfo was made, we checked the thread's access token, expecting it to be not-impersonated.\n\n\n0:030> !token\nTS Session ID: 0\nUser: S-1-5-18 \n... \nPrivs:\n ...\n 14 0x000000012 SeRestorePrivilege                Attributes - Enabled\n ...\nImpersonation Level: Impersonation\n...\n\nBut surprise! The token ",{"type":922,"marks":1070,"value":1071},[968],"was ",{"type":922,"value":1073},"impersonated. Only the user it was impersonating was not the attacker's user test, but Local System (S-1-5-18). What was going on?\n\nWas function _SchRpcSetSecurity broken and incorrectly impersonated the caller? We found an impersonation call in it and it looked okay. Clearly we needed to understand this function better, and it's natural to start with the documentation when available. The ",{"url":1061,"meta":1075,"type":12,"children":1077},[1076],{"id":932,"value":933},[1078],{"type":922,"value":1079},"specification of function  _SchRpcSetSecurity",{"type":922,"value":1081}," describes its behavior in detail, including this step that is relevant for our analysis (the path parameter being the Bear file in our case.):\n \n",{"item":833,"type":1049},{"type":919,"children":1084},[1085,1087,1090,1092,1099,1101,1108],{"type":922,"value":1086},"\n\nThis makes sense: if someone asks Task Scheduler to change permissions on a task file, said someone should have write permissions on that file. A typical use case for this is when the user who created a task subsequently decides to have that task executed as some other user, which requires that user to have at least read access to the task file. And this is also the use case triggered by the schtasks.exe's /change option, where /RU and /RP parameters specify the \"run-as\" user's credentials.\n\nWe then reverse engineered _SchRpcSetSecurity to find where this security check is implemented and find out why it doesn't work as specified.\n\nExcept we found that it ",{"type":922,"marks":1088,"value":1089},[968],"does",{"type":922,"value":1091}," work as specified: the code attempts to open the Bear file with permissions to change its DACL and its owner - and if that succeeds, actually does that. Which would work great if only it was impersonating the low-privileged attacker instead of Local System (who obviously can do all that on the linked-to pci.sys file).\n\nSo why didn't the function impersonate the attacker? After some head-scratching, we remembered that this attack only works with the legacy schtasks.exe, and not with the new one. Could it be that the old schtasks.exe was calling some other RPC function than _SchRpcSetSecurity, which then in turn called _SchRpcSetSecurity via RPC? While still paused inside the _SchRpcSetSecurity call, we looked at other threads in the same process - and found an interesting one with this call stack:\n\n\n\n0:037> k\nChildEBP RetAddr \n08d1dbf4 775e058a ntdll!KiFastSystemCallRet\n08d1dbf8 76e35bde ntdll!NtAlpcSendWaitReceivePort+0xa\n08d1dc88 76e359f4 RPCRT4!LRPC_BASE_CCALL::DoSendReceive+0xde\n08d1dca4 76e156dc RPCRT4!LRPC_CCALL::SendReceive+0x54\n08d1e118 6ff9fa7a RPCRT4!NdrClientCall2+0xa4c\n08d1e130 6ffbd524 taskcomp!SchRpcSetSecurity+0x24\n08d1e17c 6ffa8536 taskcomp!RpcSession::SetSecurity+0x25\n08d1ecd0 6ffa8669 taskcomp!CompatibilityAdapter::Register+0xef4\n08d1ed00 6ffb13a9 taskcomp!CompatibilityAdapter::RegisterWithRetry+0x28\n08d1f1f4 76e67544 taskcomp!SASetAccountInformation+0x4a9\n08d1f21c 76e1665d RPCRT4!Invoke+0x34\n08d1f688 76e17399 RPCRT4!NdrStubCall2+0x86d\n08d1f6a4 76e48712 RPCRT4!NdrServerCall2+0x19\n08d1f6e4 76e4832b RPCRT4!DispatchToStubInCNoAvrf+0x52\n08d1f758 76e47d6f RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x17b\n08d1f78c 76e36b6f RPCRT4!RPC_INTERFACE::DispatchToStub+0x8f\n08d1f7f4 76e37e4d RPCRT4!LRPC_SCALL::DispatchRequest+0x2ef\n08d1f884 76e37915 RPCRT4!LRPC_SCALL::HandleRequest+0x37d\n08d1f8d0 76e36501 RPCRT4!LRPC_ADDRESS::HandleRequest+0x325\n08d1f9a8 76e324e6 RPCRT4!LRPC_ADDRESS::ProcessIO+0x211\n08d1f9e8 775827f8 RPCRT4!LrpcIoComplete+0xa6\n08d1fa20 775819da ntdll!TppAlpcpExecuteCallback+0x188\n08d1fbe8 74d7e529 ntdll!TppWorkerThread+0x3da\n08d1fbf8 775a9ed1 KERNEL32!BaseThreadInitThunk+0x19\n08d1fc54 775a9ea5 ntdll!__RtlUserThreadStart+0x2b\n08d1fc64 00000000 ntdll!_RtlUserThreadStart+0x1b\n\nHmm, a thread in taskcomp.dll, which was itself triggered via an RPC call (as suggested by RPCRT4!Invoke) called a function named SchRpcSetSecurity, which invoked another RPC call (as suggested by RPCRT4!NdrClientCall2), and was now waiting for it to return. A few debugging sessions later, we could confirm that this is indeed what is happening: the legacy schtasks.exe makes a RPC call to a legacy RPC endpoint ",{"url":1093,"meta":1094,"type":12,"children":1096},"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/ca3e0305-4582-4e75-9c27-598c715f771d",[1095],{"id":932,"value":933},[1097],{"type":922,"value":1098},"SASetAccountInformation",{"type":922,"value":1100}," implemented in taskcomp.dll, which implements the old task scheduler instructions with RPC calls to the new ones implemented in schedsvc.dll, such as ",{"url":1102,"meta":1103,"type":12,"children":1105},"https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-tsch/849c131a-64e4-46ef-b015-9d4c599c5167",[1104],{"id":932,"value":933},[1106],{"type":922,"value":1107},"SchRpcRegisterTask",{"type":922,"value":1109}," and SchRpcSetSecurity.\n\nOur focus thus turned to taskcomp.dll. Namely, RPC calls can be stacked: process A can RPC-call process B, and then the code processing said call in process B can further RPC-call process C. In our case, schtasks.exe (running as attacker) calls RPC endpoint taskcomp!SASetAccountInformation in Task Scheduler's process svchost.exe (running as Local System), which in turn calls RPC endpoint schedsvc!_SchRpcSetSecurity in the same svchost.exe (still running as Local System). When the latter impersonates its caller, it actually impersonates the access token of the thread in taskcomp.dll that called it, and if that thread had previously impersonated its own caller (i.e., attacker), the final impersonated token would also be attacker's. However, taskcomp.dll does not impersonate its caller; it impersonates self (Local System) to enable the SeRestorePrivilege privilege that is needed for it to set DACL and ownership on any file:\n\n",{"item":847,"type":1049},{"type":919,"children":1112},[1113],{"type":922,"value":1114},"\n\n\nThis impersonation breaks the tie with attacker's identity, and causes the subsequently executed schedsvc!_SchRpcSetSecurity to believe it was Local System, not the attacker, who requested the change of DACL and owner on pci.sys. It was time to patch.\n\n\n",{"type":973,"level":228,"children":1116},[1117],{"type":922,"value":1118},"Patching",{"type":919,"children":1120},[1121],{"type":922,"value":1122},"\nCorrecting the behavior of someone else's code in a complex environment is always tricky, and legacy support + task scheduling = complex, we believe it was actually an error to impersonate self in taskcomp.dll instead of impersonating the client. The latter would in fact allow the security check in schedsvc!_SchRpcSetSecurity to perform correctly and work as intended on a regular file as well as on a hard-linked system file (correctly failing when invoked by a low-privileged user).\n\nWe therefore decided to replace self-impersonation with client-impersonation, and to do that, we removed the call to ImpersonateSalfWithPrivilege and injected a call to RpcImpersonateClient in its place.\n\nWe wrote a micropatch for this and tested it.\n\nThe POC still worked.\n\nIt turned out that there was another RPC call to SchRpcSetSecurity in taskcomp.dll, which got called when the first one was unsuccessful:\n\n\n",{"item":861,"type":1049},{"type":919,"children":1125},[1126],{"type":922,"value":1127},"\n\nThe call stack was:\n\n0:005> k\nChildEBP RetAddr\n044ffc20 6ff9a3dd taskcomp!CompatibilityAdapter::\n                  [IFileChangeNotification]::SdChange+0x9235\n044ffc60 6ff9a2a4 taskcomp!JournalReader::HandleWaitTimer+0x11d\n044ffef0 74d7e529 taskcomp!CompatibilityAdapter::MonitorThread+0x104\n044fff00 775a9ed1 KERNEL32!BaseThreadInitThunk+0x19\n044fff5c 775a9ea5 ntdll!__RtlUserThreadStart+0x2b\n044fff6c 00000000 ntdll!_RtlUserThreadStart+0x1b\n\n\nIt looked like some monitoring thread was used for getting the job done when the original call failed, but this thread was not called via RPC, and client impersonation could not be used there. We therefore decided on a more drastic approach and simply amputated the call to SetSecurity.\n\nAfter that, we got the desired behavior: The legacy schtasks.exe was behaving correctly when creating a new task from a job file, and when setting a \"run-as\" user for an existing task that the user was allowed to change permissions on. On the other hand, the hard link trick no longer worked because the Task Scheduler process correctly identified the caller and determined that it doesn't have sufficient permissions to change DACL or ownership on a system file. Since we didn't even touch schedsvc.dll, the new (non-legacy) Task Scheduler functionality was not affected at all.\n\n",{"item":874,"type":1049},{"type":919,"children":1130},[1131],{"type":922,"value":1132},"\n\n\nWith our micropatch in place, re-launching the POC and observing the Bear task file in Process Monitor only showed two CreateFile operations from SchRpcSetSecurity's security check described above, and both ended with an ACCESS DENIED error due to correct impersonation.\n\n\nThis is the source code of our micropatch for 32bit Windows 10 version 1809:\n\n\n\n;Micropatch for taskcomp.dll version 10.0.17763.1\nMODULE_PATH \"..\\AffectedModules\\taskcomp.dll_10.0.17763.1_x86\\taskcomp.dll\"\nPATCH_ID 374\nPATCH_FORMAT_VER 2\nVULN_ID 5172\nPLATFORM win32\n\npatchlet_start\n PATCHLET_ID 1\n PATCHLET_TYPE 2\n PATCHLET_OFFSET 0x000184dd\n PIT rpcrt4.dll!RpcImpersonateClient\n JUMPOVERBYTES 16 ; we skip the call to ImpersonateSelfWithPrivilege\n N_ORIGINALBYTES 1\n\n code_start\n  mov dword [ebp-0b20h], 0 ; token (set to 0 to force the ImpersonateSelfWithPrivilege\n                           ; destructor to call RpcRevertToSelf)\n  push 0                   ; Impersonating the client that made the request\n  call PIT_RpcImpersonateClient\n code_end\n\npatchlet_end\n\npatchlet_start\n PATCHLET_ID 2\n PATCHLET_TYPE 2\n PATCHLET_OFFSET 0x00015e72\n JUMPOVERBYTES 5 ; we skip the call to SetSecurity@RpcSession\n N_ORIGINALBYTES 1\n\n code_start\n  add    esp, 0ch       ; 3 x pop\n  mov eax, 00000000h   ; simulate that SetSecurity@RpcSession() function\n                       ; returned 0 (as on successfull call)\n code_end\n\npatchlet_end\n\nAnd here it is in action:\n",{"item":888,"type":1049},{"type":919,"children":1135},[1136,1138,1145,1147,1152],{"type":922,"value":1137},"As always, if you have 0patch Agent installed and registered, this micropatch is already on your computer - and applied to taskcomp.dll in your Task Scheduler service. If you don't have the 0patch Agent yet, you can ",{"url":1139,"meta":1140,"type":12,"children":1142},"https://central.0patch.com/auth/register",[1141],{"id":932,"value":933},[1143],{"type":922,"value":1144},"register a 0patch account",{"type":922,"value":1146}," and install it to get this micropatch applied.\n\nFollowing our ",{"url":1148,"type":12,"children":1149},"https://0patch.zendesk.com/hc/en-us/articles/360020855914-What-are-PRO-patches-and-how-are-they-different-from-FREE-patches-",[1150],{"type":922,"value":1151},"guidelines on which patches to provide for free",{"type":922,"value":1153},", this micropatch affects many home and education users, and is therefore included in both FREE and PRO 0patch license until Microsoft provides an official fix. After that the micropatch will only be included in the PRO license.\n\nWe are currently providing this micropatch for fully updated:\n",{"type":1001,"style":1002,"children":1155},[1156,1162,1168],{"type":1005,"children":1157},[1158],{"type":919,"children":1159},[1160],{"type":922,"value":1161},"Windows 10 version 1809 32bit",{"type":1005,"children":1163},[1164],{"type":919,"children":1165},[1166],{"type":922,"value":1167},"Windows 10 version 1809 64bit",{"type":1005,"children":1169},[1170],{"type":919,"children":1171},[1172],{"type":922,"value":1173},"Windows Server 2019",{"type":919,"children":1175},[1176,1178,1183],{"type":922,"value":1177},"0patch PRO users are welcome to request porting this micropatch to other Windows 10 or Server versions at ",{"url":1179,"type":12,"children":1180},"mailto:support@0patch.com",[1181],{"type":922,"value":1182},"support@0patch.com",{"type":922,"value":1184},". (Note that Windows 8, Windows 7, and their Server counterparts 2012 and 2008 don't seem to be affected.)\n\n\n",{"item":900,"type":1049},{"type":919,"children":1187},[1188,1190,1193,1195,1200,1202,1205,1207,1214,1216,1222],{"type":922,"value":1189},"\n\n\n",{"type":922,"marks":1191,"value":1192},[924],"One final question: Does the attacker really need a local user's password?",{"type":922,"value":1194},"\n\nWe seriously doubt that. While running the legacy schtasks.exe with an incorrect password via argument /RP results in an error, the documentation for ",{"url":1196,"type":12,"children":1197},"https://docs.microsoft.com/en-us/windows/desktop/api/mstask/nf-mstask-ischeduledworkitem-setaccountinformation",[1198],{"type":922,"value":1199},"IScheduledWorkItem::SetAccountInformation",{"type":922,"value":1201}," method (which actually gets called by legacy schtasks.exe) states: \"",{"type":922,"marks":1203,"value":1204},[968],"If you set the TASK_FLAG_RUN_ONLY_IF_LOGGED_ON flag, you may also set pwszPassword to NULL for local or domain user accounts.",{"type":922,"value":1206},"\" We haven't tested this but it sounds reasonable that for \"run only if logged on\" tasks a password would not be needed. Since attacker's goal is not to have the task executed but to have Task Scheduler change permissions on a target file, we believe executing the attack should also be possible without knowing any password.\n\n\nCheers!\n\nSimon Raner\n",{"url":1208,"meta":1209,"type":12,"children":1211},"https://twitter.com/mkolsek",[1210],{"id":932,"value":933},[1212],{"type":922,"value":1213},"@mkolsek",{"type":922,"value":1215},"\n",{"url":699,"meta":1217,"type":12,"children":1219},[1218],{"id":932,"value":933},[1220],{"type":922,"value":1221},"@0patch",{"type":922,"value":1223},"\n\n",{"alt":720,"url":1225,"width":904,"height":510,"responsiveImage":1226},"https://www.datocms-assets.com/166020/1755779416-polar_bear_2339577.jpg",{"srcSet":1227,"webpSrcSet":1228,"sizes":1229,"src":1230,"width":1231,"height":1232,"aspectRatio":1233,"alt":720,"title":720,"bgColor":1234,"base64":1235},"https://www.datocms-assets.com/166020/1755779416-polar_bear_2339577.jpg?auto=compress&crop=focalpoint&dpr=0.25&fit=crop&w=1440 360w,https://www.datocms-assets.com/166020/1755779416-polar_bear_2339577.jpg?auto=compress&crop=focalpoint&fit=crop&w=1440 1440w","https://www.datocms-assets.com/166020/1755779416-polar_bear_2339577.jpg?auto=compress&crop=focalpoint&dpr=0.25&fit=crop&fm=webp&w=1440 360w,https://www.datocms-assets.com/166020/1755779416-polar_bear_2339577.jpg?auto=compress&crop=focalpoint&fit=crop&fm=webp&w=1440 1440w","(max-width: 1440px) 100vw, 1440px","https://www.datocms-assets.com/166020/1755779416-polar_bear_2339577.jpg?auto=compress&crop=focalpoint&fit=crop&w=1440",1440,675,2.1333333333333333,"#9c6032","data:image/jpeg;base64,/9j/4AAQSkZJRgABAQAAAQABAAD/2wCEAAoHBwgHBgoQDggLFg4NDhgQDg0NDiENFhENFxMZGBYTFhUaHysjGh0oHRUWJDUlKC0vMjIyGSI4PTcwPCsxMi8BCgsLBQUFEAUFEC8cFhwvLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vLy8vL//AABEIAAwAGAMBIgACEQEDEQH/xAAYAAADAQEAAAAAAAAAAAAAAAABBQYEAP/EAB4QAAICAQUBAAAAAAAAAAAAAAEDAAQyBRITISIC/8QAFQEBAQAAAAAAAAAAAAAAAAAAAgD/xAAUEQEAAAAAAAAAAAAAAAAAAAAA/9oADAMBAAIRAxEAPwB3UaoPHYh1WykEehJmvYby5GZtVst35mIThl1XwMhDJF9hu3IzpJ//2Q==",1780067937948]