KB5026370 for Windows Server 2022

KB5026370 becomes the latest cumulative update for Windows Server 2022 and Windows Server 2022 Server Core installation. The update was released on 9th May as part of the ‘Patch Tuesday’ initiative.

KB5026370 has now been superseded by KB5027225. You can read more about KB5027225.

Topics covered in this post

Salient points about KB5026370

KB5026370 is a cumulative update and supersedes KB5025230, KB5025230 was released in April 2023.
KB5026370 will upgrade the server build to 20348.1726. KB5025230 corresponds to server build 20348.1668. From April to May, we will be upgrading from build version 1668 to 1726.
Servicing Stack Update for KB5026370 is included within the cumulative update. Separate installation of Servicing Stack Update is not required.
As per Microsoft’s latest security bulletin for May 2023, Windows Server 2022 is affected by 17 security vulnerabilities. 5 of these have ‘CRITICAL’ severity level.
Two zero day threats affect Windows Server 2022 and these are shared in the vulnerability section below.

Download KB5026370

KB5026370 can be patched on Windows Server 2022 automatically using one of the following preferred methods:

Windows Update
Windows Update for Business
WSUS or Windows Server Update Service

For most installations, automated patching is the suggested approach to keeping Windows Servers updated at all times.

You can also install KB5026370 manually. To do so, you will require an offline installer file that can be downloaded from the Microsoft Update Catalog page for KB5026370.

We have shared the download links of KB5026370 for the catalog page as well as for the offline installer file.

Download KB5026370 from Microsoft Update Catalog – you need to download the installer file for version 21H2 or 22H2.
Download the KB5026370 installer file for version 21H2 – the size of the update file is 326.2 MB.
Download the KB5026370 installer file for version 22H2 – the size of the update file is 326.2 MB.

The offline installer files have a .msu file extension. The files also explicitly contain the cumulative update number and identifier in the installer file name.

Vulnerabilities in Windows Server 2022

There are 17 security vulnerabilities in Windows Server 2022. We have listed the two zero-day threats and five ‘CRITICAL’ severity threats below.

Zero-day vulnerabilities in Windows Server 2022

The following two vulnerabilities have been considered zero-day threats.

Vulnerability	CVSS Score	Severity	Impact	Comments
CVE-2023-24932	6.7	IMPORTANT	Secure Boot Security Feature Bypass	In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine. As part of the fix, Microsoft suggests reading emails in plain text in Microsoft Outlook.
CVE-2023-29325	8.1	CRITICAL	Remote Code Execution	In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine. As part of the fix, Microsoft suggests reading emails in plain text in Microsoft Outlook.

CRITICAL vulnerabilities in Windows Server 2022

The following 5 vulnerabilities have a CRITICAL severity level.

Vulnerability	CVSS Score	Severity	Impact	Comments
CVE-2023-24941	9.8	CRITICAL	Remote Code Execution	This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). Mitigation steps are shared in the Microsoft advisory for CVE-2023-24941.
CVE-2023-24943	9.8	CRITICAL	Remote Code Execution	When Windows Message Queuing service is running in a Pragmatic General Multicast (PGM) Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code. To mitigate risk, Microsoft recommends customers deploy newer technologies such as Unicast or Multicast server. Read more details of this vulnerability on the Microsoft advisory page.
CVE-2023-29325	8.1	CRITICAL	Remote Code Execution	An attacker could exploit the vulnerability by sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine. To mitigate this vulnerability, Microsoft recommends users read email messages in plain text format
CVE-2023-24903	8.1	CRITICAL	Remote Code Execution	This RCE vulnerability exists in Windows Secure Socket Tunneling Protocol (SSTP). To exploit this vulnerability, an attacker would need to send a specially crafted malicious SSTP packet to a SSTP server. This could result in remote code execution on the server side.
CVE-2023-28283	8.1	CRITICAL	Remote Code Execution	This RCE vulnerability exists in Windows Lightweight Directory Access Protocol (LDAP). An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service.

KB5026370 Changelog

The following improvements and changes are part of the KB5026370 security update for Windows Server 2022:

New! This update changes firewall settings. You can now configure application group rules.
This update addresses an issue that affects conhost.exe. It stops responding.
This update affects the Islamic Republic of Iran. The update supports the government’s daylight saving time change order from 2022.
This update addresses issues that affect the 32-bit version of Windows Calculator.
This update addresses an issue that affects apps that use DirectX on older Intel graphics drivers. You might receive an error from apphelp.dll.
The update addresses an issue that sends unexpected password expiration notices to users. This occurs when you set up an account to use “Smart Card is Required for Interactive Logon” and set “Enable rolling of expiring NTLM secrets”.
This update addresses an issue that affects Microsoft Edge IE mode. Pop-up windows open in the background instead of in the foreground.
This update addresses an issue that affects the software defined networking (SDN) virtual subnet. The delete operation creates an error. This stops the virtual subnet from being deleted.
The update addresses an issue that affects AzureService Fabric containers. This change is off by default. To enable the change, set Globals.RouteResolutionOrderConfig to TRUE. To propagate the value, move the primary node for VswitchService and SDNAPI. After you set the value, this change will apply to new and current network traffic routes.
This update addresses an issue that affects protected content. When you minimize a window that has protected content, the content displays when it should not. This occurs when you are using Taskbar Thumbnail Live Preview.
This update addresses an issue that affects mobile device management (MDM) customers. The issue stops you from printing. This occurs because of an exception.
This update addresses an issue that affects signed Windows Defender Application Control (WDAC) policies. They are not applied to the Secure Kernel. This occurs when you enable Secure Boot.
This update addresses an issue that affects the Windows Defender Application Control. The policy that blocks software using a hash rule might not stop the software from running.
This update addresses an Active Directory Federation Services (AD FS). You might need to retry authentication multiple times to sign in successfully.
This update addresses an issue that affects accounts that run the Set-AdfsCertificate command. The command fails. This occurs when an account does not have read permissions for the related Distributed Key Manager (DKM) container.
This update addresses a race condition in Windows Local Administrator Password Solution (LAPS). The Local Security Authority Subsystem Service (LSASS) might stop responding. This occurs when the system processes multiple local account operations at the same time. The access violation error code is 0xc0000005.
This update addresses an issue that affects the legacy Local Administrator Password Solution (LAPS) and the new Windows LAPS feature. They fail to manage the configured local account password. This occurs when you install the legacy LAPS .msi file after you have installed the April 11, 2023, Windows update on machines that have a legacy LAPS policy.
This update addresses an issue that affects SMB Direct. Endpoints might not be available on systems that use multi-byte character sets.

Important links for KB5026370

The following important links may serve as a good reference point for further questions or concerns:

Microsoft release notes for KB5026370
Catalog site for KB5026370
Zero-day initiative vulnerability coverage for May 2023 security updates
Download file information for KB5026370 (downloads as a CSV file from the Microsoft site)
Download SSU file information for KB5026370 (CSV file download from the Microsoft site)

Security updates for June 2023

The following pages contain details of the security updates or cumulative updates for the month of June 2023:

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.