KB5025228 is the cumulative update for the month of April 2023 for Windows Server 2016 and Windows Server 2016 Server core installation. This update addresses security vulnerabilities and brings in product improvements for Windows Server 2016.
KB5025228 has now been superseded by KB5026363. You can read more about KB5026363 on this page.
Key points about the KB5025228 update for Windows Server 2016
- KB5025228 is a cumulative update that supersedes March month’s cumulative update KB5023697.
- KB5025228 corresponds to server build 14393.5850. If you did deploy the March 2023 cumulative update, you will be upgrading from server build 14393.5786 to 14393.5850.
- There are 66 disclosed vulnerabilities for Windows Server 2016 in April’s security bulletin. Out of these 66 threats, 6 vulnerabilities carry a ‘CRITICAL’ severity level. There are two threats that have a CVSS score of 9.8. Details of these vulnerabilities are shared in the vulnerability section. All 6 CRITICAL vulnerabilities are of the type of ‘Remote Code Execution’.
- The Servicing Stack Update KB5023788 needs to be deployed on the server prior to installing KB5025228. KB5023788 was released in March 2023. If you did deploy the March 2023 cumulative update KB5023697, there are chances that the Servicing Stack Update or SSU is already installed on the Windows Server 2016.
Download KB5025228 for Windows Server 2016
You can install KB5025228 manually through an offline installer file. The offline installer file is in .MSU format. You can download it from the Microsoft Update Catalog page for KB5025228. A direct download link for the MSU file is shared below.
Prior to installing KB5025228, we need to make sure that the KB5023788 Servicing Stack Update is also deployed. So, our download sequence should involve the download of the SSU KB5023788 and cumulative update KB5025228.
| Security update or SSU | Download link | Size of the update |
|---|---|---|
| KB5023788 | Download | 11.7 MB |
| KB5025228 | Download | 1537.2 MB |
Alternatively, you can download the offline installer directly from the Microsoft Update catalog site.
- Download KB5023788 SSU for Windows Server 2016 from the Microsoft Update catalog site.
- Download cumulative update KB5025228 for Windows Server 2016 from the Microsoft Update Catalog site.
You need to deploy the SSU before installing the main security update.
When you deploy the SSU, there will be no server restart. However, installation of the cumulative update will need a server restart. So, you may have to plan the installation of the cumulative update.
Apart from manual deployment, you can also use one of the following automated strategies to patch KB5025228 on Windows Server 2016:
- Windows Update
- WSUS or Windows Server Update Service
- Windows Update for Business
In the case of automated installation, you will notice that the Servicing Stack Update is automatically installed before the main release version of cumulative update KB5025228 is installed.
Also, the cumulative update is in excess of 1.5 GB in size. The Rollout of this update will take some time, and therefore, a change management schedule is best for implementing KB5025228.
Security vulnerabilities on Windows Server 2016
April month’s security bulletin for Windows Server 2016 contains 66 different security threats. Out of these 66 vulnerabilities, 6 are of ‘CRITICAL’ severity and the remaining carry the ‘IMPORTANT’ severity levels.
It may be worth reiterating that all these 66 security threats also affect the Windows Server 2016 Server core installation version.
Zero day threats on Windows Server 2016
An old threat has been republished by Microsoft as exploitation attempts have been detected to harness the vulnerability in the way WinVerifyTrust Signature Validation works on Windows servers and desktop operating systems.
The two zero-day threats that affect Windows Server 2016 and Windows Server 2016 Server core installation are:
| Vulnerability | CVE Title | CVSS Score | Vulnerability scope |
|---|---|---|---|
| CVE-2013-3900 | WinVerifyTrust Signature Validation | 7.4 | Remote code execution |
| CVE-2022-43552 | Windows Common Log File System Driver | 7.8 | Elevation of Privilege Vulnerability |
Apart from these zero-day threats, there are 6 ‘CRITICAL’ vulnerabilities that affect Windows Server 2016 and Windows Server 2016 Server Core installation. The details of these vulnerabilities are shared in brief below.
CRITICAL vulnerabilities affecting Windows Server 2016
| Vulnerability | CVE Title | CVSS Score | Vulnerability scope |
|---|---|---|---|
| CVE-2023-21554 | Microsoft Message Queuing | 9.8 | Remote Code Execution |
| CVE-2023-28250 | Windows Pragmatic General Multicast (PGM) | 9.8 | Remote Code Execution |
| CVE-2023-28231 | DHCP Server Service | 8.8 | Remote Code Execution |
| CVE-2023-28219 | Layer 2 Tunneling Protocol | 8.1 | Remote Code Execution |
| CVE-2023-28220 | Layer 2 Tunneling Protocol | 8.1 | Remote Code Execution |
| CVE-2023-28232 | Windows Point-to-Point Tunneling Protocol | 7.5 | Remote Code Execution |
All these 6 vulnerabilities carry an impact of ‘Remote Code Execution’.
KB5025228 – Changelog
The following changes have been implemented under the KB5025228 cumulative update for Windows Server 2016:
- This update affects the Arab Republic of Egypt. The update supports the government’s daylight saving time change order for 2023.
- This update addresses an issue that affects Microsoft Edge IE mode and pages that use predictive prerendering. Edge IE mode does not support predictive prerendering. Because of this, a page that uses prerendering will load as if it was not in use.
- This update addresses compatibility issues that affect some printers. These printers use Windows Graphical Device Interface (GDI) printer drivers. These drivers do not completely adhere to GDI specifications.
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.