0patch delivers micropatch: Fix for Windows Server without ESU is here

Windows Server contains a dangerous vulnerability in the telephony service called CVE-2026-20931: However, Microsoft’s January patch sometimes causes TAPI failures. Now 0patch provides a micropatch, even for older servers without ESU.

Danger in the telephone service

Microsoft had already closed a critical vulnerability with the identifier CVE-2026-20931 in the Windows Telephony Service in January. The vulnerability allows local attackers to secretly escalate their privileges by manipulating system files and executing malicious code with higher privileges. The cause is a missing security check in the service architecture.

However, the official patch caused problems in existing environments. After the installation, administrators reported broken TAPI connections, which computers use to communicate with traditional telephone systems. Since the January update, clients are often no longer able to establish a connection to the telephony server on the domain controller.

Unofficial fix for old servers

Alternative protection is now available for operators of older systems. How 0patch communicates, a micropatch closes the gap by additionally checking the target path. This checks whether it is a legitimate mail slot and not a path in the file system. This prevents the configuration file tsec.ini from being overwritten.

Let’s see our patch in action. First, with 0patch disabled, a low-privilege user runs the attack tool, which instructs the Telephony service to overwrite the “tsec.ini” file with arbitrary content (we used “test” for demonstration purposes). The attack is successful. However, if 0patch is activated, the file can no longer be overwritten. 0patch

The unofficial fix is intended for environments without paid Extended Security Updates (ESU) licenses for extended security updates. Windows Server 2008 R2, Windows Server 2012 and Windows Server 2012 R2 are protected. This gives operators additional protection even though regular support for these versions has expired. The affected telephony service is also present in current client systems such as Windows 10 and Windows 11, but according to current analyses, there is no acute danger there. In internal tests, the vulnerability could not be successfully exploited on these platforms because the memory management in newer Windows versions intercepts corresponding attacks.

One advantage of micropatch technology is that it can be used during operation without having to restart the server. However, the prerequisite is an installed agent from the provider and an active user account, which means an additional dependency on an external service. For companies that still rely on old Windows servers, the approach can still save time until the migration to current operating systems is completed.