APT28 turns an incomplete Windows patch into a zero-click attack
Russia's GRU exploited a Windows flaw that Microsoft thought it had fixed. The 'patch the patch' problem keeps shipping defenders a worse version of what they paid for.
A Windows vulnerability that Microsoft believed it had patched has been re-weaponised by APT28, the GRU-attributed group also tracked as Fancy Bear and Forest Blizzard. SecurityWeek reports the original fix was incomplete; the attackers, who clearly knew the area of the bug well, found the gap and turned it into a zero-click attack against Ukrainian government targets and several EU member-state networks.
The “patch the patch” problem is now familiar enough to deserve a name. A vendor ships a fix. The fix narrows the bug class but doesn’t close it. Researchers — friendly or otherwise — discover the residual exposure. By the time the second fix lands, attackers who follow the patch diff have already had weeks of unhindered exploitation against organisations who applied the first patch and considered themselves clean.
The lesson isn’t that patching is futile. Patching is the cheapest, highest-yield control on the table; the alternative is significantly worse. The lesson is that “patched” is a less useful operational signal than most security programmes treat it as. CVE-coverage dashboards in an asset inventory say “we applied an update.” They do not say “we closed the vulnerability class.” For high-targeting groups — APT28, Volt Typhoon, the Salt Typhoon family — that distinction is doing a lot of work.
Two things actually help. The first is threat-intelligence subscriptions that surface patch-bypass research within hours of a vendor’s release, not days. The window matters; the bypass typically lands inside it. The second, more durable answer is segmentation around the services these groups disproportionately target — Outlook on the web, Exchange, Office 365 token paths, anything that converts an endpoint compromise into a session-token theft. A partial patch failing inside a properly segmented Exchange path is contained. A partial patch failing on a flat enterprise network is what we keep reading about.
The honest take. The patch graph is not the vulnerability graph. Treat the gap between them as the operational reality, because it is.