KB5013952 Cumulative Update for Windows Server 2016

The May security update for Microsoft Windows Server 2016 was released yesterday. This security update is a cumulative update that fixes security vulnerabilities on Windows Server 2016. It also includes performance improvements and bug fixes as part of the standard Microsoft ‘Path Tuesday’ update cycle. We look at some key aspects of KB5013952 for Windows Server 2016. KB5013952 works well for Windows Server 2016 (Server Core Installation). You just need to ensure that you are patching the right MSU file on Windows Server 2016 or Windows Server 2016 (Server Core Installation).

You can read more about June month’s cumulative security update KB5014702 for Windows Server 2016.

Salient points about KB5013952

  • KB5013952 is a cumulative security update for Windows Server 2016.
  • It supersedes April month’s cumulative update KB5012596.
  • The update contains a fix for the zero-day vulnerability found on Windows Server 2016 – CVE-2022-26925.
  • Domain controllers on Windows Server 2016 should be patched with KB5013952 on a priority basis to resolve the CVE-2022-26925 security vulnerability. CVE-2022-26925 is being actively exploited as we write this.
  • Windows Server 2016 is also affected by CVE-2022-26923, a CVSS 8.8 vulnerability that affects Active Directory Domain Services. You need to be aware of the mitigation efforts required to control this vulnerability. This one is a seriously damaging vulnerability.
  • The size of the MSU update file for KB5013952 for x86 systems is 833.2 MB.
  • The size of the MSU update file for KB5013952 for x64 systems is 1562.7 MB.
  • Servicing Stack Update KB5014026 needs to be deployed on Windows Server 2016 before deploying KB5013952.
  • For resolving authentication issues on domain controllers patched with May month’s updates, please read more about KB5015019 out of band update for Windows Server 2016.

KB5015019 – Out of Band Update for Windows Server 2016

KB5015019 is an out-of-band update that has been released by Microsoft for Windows Server 2016. After deploying KB5013952 on Windows Server 2016 domain controllers, there were reports of issues in authenticating with the server. Here is the issue summary reported by Microsoft:

Addresses a known issue that might cause authentication failures for some services on a server or client after you install the May 10, 2022 update on domain controllers. These services include Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP). The issue affects how the domain controller manages the mapping of certificates to machine accounts. This issue only affects servers that are used as domain controllers; it does not affect client Windows devices.

The main points that you need to be aware of the KB5015019 update for Windows Server 2016 are:

  • KB5015019 is a cumulative update.
  • OS Build of Windows Server 2016 after installing KB5015019 is OS Build 14393.5127.
  • If you have not patched Windows Server 2016 with KB5013952, you can skip that deployment. You could directly deploy KB5015019 OOB or emergency update.
  • If you have already deployed KB5013952, please install KB5015019 as well. Only the incremental changes in KB5015019 will be deployed if your server is already patched with KB5013952.
  • Since this is an emergency OOB update, you cannot install it automatically through Windows Update. Only manual installation of KB5015019 is possible.
  • You can download KB5015019 through the Microsoft Update Catalog for Windows Server 2016.
  • The size of the KB5015019 MSU update file is 1548.7 MB. Please plan for some time to deploy this cumulative update on Windows Server 2016.

Zero-day vulnerabilities on Windows Server 2016 – May 10 Update

Windows Server 2016 is affected by a single zero-day vulnerability or threat.

CVE-2022-26925 – Windows LSA Spoofing Vulnerability is a critical vulnerability as it is being exploited by the threat actors. It has a CVSS score of 8.1. The attack complexity is High as the vulnerability has been rated with a complexity AC: H rating. Together with the NTLM Relay Attacks on Active Directory Certificate Services (AD CS), the LSA spoofing vulnerability poses a risk equivalent to a CVSS 9.8 critical vulnerability.

  • An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows them.
  • NTLM relay attacks on the domain controllers could be used in conjunction with CVE-2022-26925. You must take mitigation steps mentioned in the security update KB5005413 to enable Extended Protection for Authentication on the domain controllers, including the domain controllers based on Windows Server 2016. The NTLM relay attacks are part of the PetiiPotam vulnerability on the Windows servers and domain controllers.
  • Since this is a man-in-the-middle (MITM) attack, the attack complexity is complex and it is rated as AC: H.

Given the nature of this vulnerability, domain controllers must be patched on a priority basis.

There have been 75 vulnerability disclosures by Microsoft as part of the May month’s ‘Patch Tuesday’ updates. There are other vulnerabilities that affect Windows Server 2016 as well. For the purpose of our study, we have restricted our discussion to the Zero-day threats for Windows Server 2016 in May security updates.

For a controlled update of Windows Server 2016, you may take the server off-network at the time of running updates through a direct Internet connection. Upon restart and confirmation of flawless working, you can rejoin the network.

CVE-2022-26923 – Active Directory Domain Services Vulnerability – Elevation of Privileges

Windows Server 2016 is impacted by the Active Directory Domain Services vulnerability. It is a CVSS 8.8 critical vulnerability and is more likely to be exploited. An authenticated user could manipulate attributes on computer accounts they own or manage, and acquire a certificate from Active Directory Certificate Services that would allow elevation of privilege.

There is no resolution available as of now. The only mitigating step that you can undertake is to disable Active Directory Certificate Service on the domain. Since this may not be possible for all, we await a permanent resolution of the vulnerability.

Prerequisites for installing KB5013952 on Windows Server 2016 for May Patch Tuesday Updates

KB5013952 should be deployed after installing the Servicing Stack Update KB5014026. The SSU KB5014026 will be offered automatically as part of the Windows Update process. It will be installed prior to installing the KB5013952 on Windows Server 2016.

If you patch the Windows Server 2016 manually, you need to download and install the KB5014026 SSU from the Microsoft Update Catalog.

  • KB5014026 for Windows Server 2016 can be downloaded from the Update catalog page.
  • The size of the x64 update file for Windows Server 2016 is 11.6 MB.

How can I get the KB5013952 update for Windows Server 2016?

KB5013952 is available through all the normal channels of Windows Updates.

  • KB5013952 can be downloaded from the Microsoft Update Catalog page for KB5013952.
  • The size of the KB5013952 MSU update file is 1562.7 MB.
  • Before deploying KB5013952, please ensure you have deployed KB5014026.
  • KB5013952 can be automatically applied using the Windows Update program. The SSU KB5014026 will be presented automatically as part of the update process.
  • KB5013952 can also be automatically applied using the Windows Update for Business.
  • You can use the WSUS or the Windows Server Update Service to deploy KB5013952 on Windows Server 2016 automatically.

You can read about the April security update for Windows Server 2016 on the KB5012596 page.

.NET Framework Update on Windows Server 2016

January 2022 updates broke the Active Directory Forest trust information functionality on Windows Server 2016. The impact was on account of issues with the underlying .NET Framework. .NET Framework issues have been resolved as part of the .NET updates.


KB5013952 is the security update for Windows Server 2016 that resolves a critical zero-day vulnerability. It also resolves a few issues that happened due to the implementation of January security updates. KB5013952 supersedes KB5012596 cumulative security update for the month of April 2022.

You may also like to read the following content related to May month’s Patch Tuesday updates by Microsoft: