enSilo Releases Free Patch for Windows ESTEEMAUDIT Exploit


Today, enSilo has issued a patch that protects these vulnerable users from Windows' ESTEEMAUDIT, a remote desktop protocol (RDP) vulnerability that leaves users exposed to ransomware, espionage campaigns and other malicious code that can propagate in the enterprise.

By now everyone knows about WannaCry and the problem with unpatched systems. But what happens when the next Windows vulnerability is released and no patch is issued on an end-of-life product?

The patch for Windows XP and Server 2003 supports silent installation and does not require a reboot, which helps users avoid the required downtime typically associated with patch installations. Upon patching, any attempt to use an ESTEEMAUDIT exploit to infect a patched machine will inevitably fail.


Microsoft ended support for Windows XP in 2014 and for Windows Server 2003 the year later. When this happened, Microsoft ceased providing security updates and technical support for these still ubiquitous and widely embedded operating systems.

Years later, there continue to be hundreds of millions of machines relying on XP and Server 2003 operating systems in use around the world. Windows XP-based systems currently account for more than 7 percent of desktop operating systems still in use today and the cybersecurity industry estimates that more than 600,000 web-facing computers, which host upwards of 175 million websites, still run Windows Server 2003 accounting for roughly 18 percent of global market share.

Making matters worse, the hacking group Shadow Brokers, recently disclosed a number of vulnerabilities in these operating systems to the public Internet, dumping onto the street a digital arsenal of software exploits allegedly held by the United States National Security Agency (NSA). Exploit kits armed with the Shadow Brokers’ weapons are already in operation which means that attackers have easy access to tools to target susceptible systems – many of which support critical infrastructure, life-saving solutions and military operations.

With the recent WannaCry ransomware attacks as a prime example, these orphaned operating systems very much remain a critical attack surface in attackers’ crosshairs. Foreign governments rely on them, as do U.S. military, law enforcement and other agencies. Windows XP still underpins ATM machines, connected hospital gear and other devices many take for granted. Without Microsoft support, these machines are going unpatched and left extremely vulnerable.

With no official solution in sight, these systems are ripe for ransomware and data manipulation and theft. This should be alarming for the military, along with healthcare organizations and law enforcement agencies.

The leaks of NSA-built exploits have come at the same time the U.S. President issued an Executive Order which outlined his directives for improving cybersecurity within government organizations. On a tactical level many security teams across government and commercial enterprise are faced with the reality of highly vulnerable systems within their networks.


In the trove of stolen exploits published by the Shadow Group appears ESTEEMAUDIT, an RDP exploit which can allow malware to move laterally within the organization, similar to what we had seen with WannaCry.

enSilo is giving away its patch against ESTEEMAUDIT for free with the intention of helping organizations around the world to better improve their security posture in one easy, but critical step.

It is important to note that patching this exploit will not make these XP systems fully secure. There are still many unpatched vulnerabilities in Windows XP, and we urge organizations to update their systems accordingly.

Until that happens, we believe that in-the-wild critical exploits like ESTEEMAUDIT and ETERNALBLUE must be patched.

Technical Notes

enSilo’s ESTEEMAUDIT patch is a persistent patch for English versions of Windows XP and Windows Server 2003. It supports the newest versions of these OSes, both x86 and x64, including:

  • XP SP3 x86 – with all patches installed
  • XP SP2 x64 - with all patches installed
  • 2003 SP2 – with all patches installed

Upon login for each session, Windows will create a new instance of winlogon. The patch will be loaded into winlogon.exe (only if it is an RDP session) to perform in memory patching (hotpatching) of ESTEEMAUDIT. Any attempt to use ESTEEMAUDIT to infect the patched machine will inevitably fail.

The patch is installed by an installation program after accepting the terms of usage. The installation program will support uninstallation by signaling an event (which will remove the patch in memory) and then unregistering the patch from loading into all subsequent RDP sessions.

Watch the ESTEEMAUDIT video.

Update, June 4: Support is for English versions of the supported OSes.

Sign Up for a Demo Today

Related Blog Posts