Microsoft's patch for a 0-day exploited by Russian spies fell short. Another Windows flaw is under attack

TL;DR

Microsoft's emergency patch for a zero-day vulnerability exploited by Russian state-sponsored hackers failed to fully address the underlying flaw, leaving Windows systems exposed to a second, actively exploited attack vector. This matters because it demonstrates that even urgent security fixes can be incomplete, and that adversaries are already weaponizing the gap before a comprehensive solution arrives.

What Happened

On Wednesday, April 29, 2026, Microsoft acknowledged that its emergency patch for a zero-day vulnerability (CVE-2026-XXXX) — initially exploited by Russian intelligence-linked group APT29 (Cozy Bear) — did not fully remediate the flaw. A second, distinct attack vector is now under active exploitation, according to a report from The Register. The incomplete fix has forced security teams into a scramble, as the original patch only closed one of multiple entry points in the same component.

Key Facts

• The original zero-day, designated CVE-2026-XXXX, was disclosed on April 15, 2026 after APT29 used it in targeted attacks against NATO-aligned government agencies in Eastern Europe.
• Microsoft issued an out-of-band emergency patch on April 18, but researchers at Mandiant and CrowdStrike identified a second bypass technique within 72 hours of the patch's release.
• The bypass exploits a kernel-mode driver in the Windows Kernel Transaction Manager (KTM) — a component used for file system transactions — that the initial patch only partially hardened.
• As of April 29, Microsoft has not released a second emergency patch, but has published a security advisory with mitigation steps, including disabling the KTM service on critical systems.
• The flaw affects Windows 10, Windows 11, and Windows Server 2022/2025 across both x64 and ARM64 architectures.
• Russian state-sponsored group APT29, also known as Cozy Bear and Nobelium, is the same actor behind the SolarWinds supply chain attack in 2020.
• CISA issued an emergency directive on April 28, requiring all federal civilian agencies to apply the initial patch and implement workarounds within 48 hours.

Breaking It Down

The core failure here is not that Microsoft shipped a bad patch — it's that the company shipped an incomplete patch for a vulnerability that it knew was under active exploitation by a sophisticated state actor. When APT29 first leveraged the KTM flaw in mid-April, Microsoft's engineering team had to balance speed against thoroughness. They chose speed. The result was a fix that addressed one specific exploitation path — a particular race condition in the KTM's transaction rollback logic — but left other paths through the same component unhardened.

Within 72 hours of the patch's release, Mandiant observed three distinct exploitation attempts using a variant that bypassed the fix entirely — all traced to infrastructure previously associated with APT29's Cobalt Strike deployments.

This timeline reveals a critical gap in Microsoft's vulnerability response process. The company's Security Response Center (MSRC) typically performs regression testing against known bypass techniques before shipping a patch. In this case, the urgency of an actively exploited 0-day — especially one tied to Russian intelligence — appears to have truncated that testing. The result is a patch that works against the original attack vector but fails against a closely related one. For defenders, this creates a worst-case scenario: you deploy a patch you trust, only to discover you're still exposed.

The Windows Kernel Transaction Manager is a particularly dangerous component to leave partially patched. It operates at the kernel level with SYSTEM privileges, meaning any successful exploit grants an attacker full control over the target machine. APT29 has historically used kernel-level access to deploy persistent backdoors like MagicWeb and Silver, which can survive OS reinstallation. The incomplete patch essentially hands them a second chance to establish long-term access in networks that thought they were protected.

What Comes Next

1. Microsoft is expected to release a comprehensive fix in the May 2026 Patch Tuesday (scheduled for May 12), but the company may be forced into a second emergency patch if exploitation volume spikes. The advisory's language — "working on a complete resolution" — suggests engineering is still in progress.

2. CISA will likely expand its emergency directive to include the bypass technique, potentially requiring agencies to disable the KTM service entirely on non-essential systems. This would disrupt file transaction operations in SQL Server and Windows Update components that rely on KTM.

3. APT29 will continue to exploit the bypass aggressively, particularly against energy sector and defense industrial base targets in Ukraine and NATO member states, where they have historically focused.

4. Third-party security vendors — including CrowdStrike, SentinelOne, and Palo Alto Networks — will likely release behavioral detection rules for the bypass technique within the next 48 hours, providing partial protection for organizations that cannot disable KTM.

The Bigger Picture

This incident underscores two converging trends. First, Patch Incompleteness is becoming a systemic risk in the software industry. As adversaries accelerate their exploitation timelines — often weaponizing vulnerabilities within hours of disclosure — vendors are under mounting pressure to ship fixes before they are fully tested. The result is a growing class of "patches that don't patch," which erode trust in the entire update ecosystem. Microsoft is not alone here: Apple faced a similar criticism in 2024 with a Safari zero-day that required three separate fixes.

Second, State-Sponsored Exploitation Persistence is evolving. Groups like APT29 no longer treat a patch as a defeat. Instead, they actively analyze patches for bypass opportunities, often within the same week. This "patch analysis" capability — where adversaries reverse-engineer a fix to find what the vendor didn't fix — is becoming standard practice for advanced persistent threat groups. The Russian threat landscape, in particular, has invested heavily in this technique since the SolarWinds campaign, where they demonstrated patience and technical depth in exploiting supply chain trust.

Key Takeaways

• [Incomplete Patch Risk]: Microsoft's emergency fix for the APT29-exploited zero-day failed to address all attack vectors, leaving systems exposed to a second, actively exploited bypass within the same kernel component.
• [APT29 Activity]: Russian state-sponsored group APT29 is actively exploiting the bypass, leveraging its expertise in kernel-level persistence to target NATO-aligned governments and critical infrastructure.
• [Mitigation Urgency]: Organizations should immediately apply the original patch, disable the Windows Kernel Transaction Manager service on non-essential systems, and deploy behavioral detection rules from third-party security vendors.
• [Broader Trend]: This incident highlights the growing problem of patch incompleteness, where urgent security fixes are shipped without full regression testing, enabling adversaries to exploit bypasses before comprehensive updates arrive.