Windows 10 First ESU Patch Released

Latest Posts
Education
News
Vulnerabilities

Windows 10 First ESU Patch Released

by Mike Puglia

4 min read

Microsoft has ended Windows 10 support. From October 14, 2025, no more technical support, no more feature updates, and critically, no more FREE security patches. In November, Microsoft released its first Extended Security Update (ESU) for those still running Windows 10 and are willing to purchase these updates. The patch, KB5068781, contains fixes for 63 security vulnerabilities, including one zero-day that is being actively exploited in the wild. Since only Windows 10 systems in the ESU program received the patch, attackers now know what vulnerabilities to target and users should enroll to the ESU program (and patch) or decommission the machines.

Patch Information

Patch KB5068781 contains fixes for 63 security vulnerabilities, five of which are critical and, most importantly, one zero-day that is being actively exploited.

The zero-day is tracked as CVE-2025-62215 and is vulnerability in the Windows Kernel that contains a race condition which, if successfully exploited, could allow an attacker to escalate privileges and gain SYSTEM level access to the machine. CISA has indicated that this vulnerability is being actively exploited “in the wild” and has added it to their Known Exploited Vulnerabilities Catalog while strongly urging all organizations to reduce their exposure by prioritizing remediation.

Additional Critical Vulnerabilities in the patch include:

CVE-2025-30398 PowerScribe vulnerability which could allow an unauthorized attacker to disclose information

CVE-2025-60716 DirectX Kernel vulnerability which could allow an authorized attacker to escalate privileges locally

CVE-2025-60724 Microsoft Graphics Component vulnerability which could allow an unauthorized attacker to execute code over a network

CVE-2025-62199 Microsoft Office vulnerability which could allow an unauthorized attacker to execute code locally

CVE-2025-62214 Visual Studio vulnerability which could allow an authorized attacker to execute code locally

ESU Out-of-Band Emergency Fixes

Microsoft has released two out-of-band emergency patches to resolve issues blocking users from getting the first ESU patch. If the devices is unable to enroll devices in the ESU Consumer Program via the wizard they need to first install the out-of-band patch (KB5071959) to resolve the issue. In some cases, business users will fail the update with a “0x800f0922” error code indicating the update failed. This is due to a bug in subscription licensing and users must install the patch (KB5072653) to resolve the issue.

Windows 10 End of Support Background

On October 14, 2025, Windows 10 reached the End of Support milestone ending technical support and feature updates. Security updates are available through the Extended Security Update (ESU) Program which will be available until October 10, 2028 for Enterprise, Education, and Pro Versions in commercial use (3 years). For consumer versions the ESU program will run until October 13, 2026 (1 year). Pricing for commercial versions start at $61/device/year and doubles each year ($122 for year 2 and $244 for year 3).

Our research indicates approximately 20% of business endpoints are still running Windows 10 which is significantly higher than what we observed when Windows 7 reached End of Support. The main reason for the disparity are the prerequisites that computers need to meet in order to upgrade to Windows 11. If the computer was manufactured after 2018, it will likely meet these requirements, but that still leaves hundreds of millions of machines that are “stuck” on Windows 10.

The biggest impediment is the need for machines to support Trusted Platform Module 2.0 (TPM 2.0) – a security chip that generates cryptographic keys to verify the integrity and authenticity of the system. Additional requirements include UEFI Secure Boot (instead of legacy BIOS), 64-bit CPUs (no older 32-bit CPUs) and minimum thresholds for RAM and disk space.

Organizations Have Three Options

  • Upgrade to Windows 11
  • Decommission and replace Windows 10 machines
  • Purchase Microsoft Extended Security Updates (ESUs) for Windows 10 machines

Now that the first ESU patch is out, threat actors have the knowledge of vulnerabilities and, in at least one case (CVE-2025-62215), is being actively exploited. If the underlying operating system is compromised, endpoint security products will not provide comprehensive protection. We strongly recommend organizations rapidly take actions on one of the above three options to avoid compromise.

Mike Puglia

General Manager, Security Products

Mike Puglia brings over 25 years of technology, strategy, and cybersecurity experience to his role as Kaseya’s General Manager of Security Products. He is responsible for all products across Kaseya’s portfolio of security solutions.

Prior to joining Kaseya, Mike led the technical program management integration of real-time collaboration technologies into Salesforce’s Chatter Social Enterprise platform. Earlier in his career, Mike served in technical and product roles at applications security company Veracode, database security company Lumigent Technologies and network security Bluesocket.

Mike holds a Bachelor of Science in Electrical Engineering from the University of New Hampshire and an MBA from the Carroll Graduate School of Management at Boston College.