KB5026409 is the security only update for Windows Server 2012 R2. It was released on 9th May under the Patch Tuesday program.
KB5026409 has been succeeded by KB5027282 in June 2023. You can read more about KB5027282 in detail.
Salient points
- KB5026409 is the standalone security update for Windows Server 2012 R2. For complete security of the server, you will need to install all the previous security updates for the server.
- We do strongly suggest choosing the monthly rollup update for Windows Server 2012 R2 over the security-only update. The monthly rollup updates are cumulative in nature and contain all changes of the security update as well. KB5026415 is May month’s cumulative update for Windows Server 2012 R2.
- Prior to installing KB5026409, you will need to ensure that the Servicing Stack Update KB5023790 is already deployed on the server. This SSU was released on 14th March 2023.
- You will also need to deploy the Internet Explorer cumulative update KB5026366 on the server.
- Windows Server 2012 R2 is affected by 16 security vulnerabilities as per May month’s security bulletin. Out of these, 5 are CRITICAL vulnerabilities.
- There are 3 security vulnerabilities that have been considered zero-day threats. All these threats are shared below in the vulnerability section.
Download KB5026409
KB5026409 is a standalone update. It is not available for download from Windows Update, Microsoft Update or Windows Update for Business.
Rather, you can use WSUS (Windows Server Update Service) to schedule the import of security update. For manual deployments, you will need the offline installer file.
This offline installer file has an MSU file extension. You can download it from the Microsoft Update Catalog website. A direct download link for the file from the Microsoft website has been shared below along with the page for Microsoft Update Catalog.
Manual installation of KB5026409 requires 3 different patches to be deployed. These patches include:
- KB5023790 Servicing Stack Update
- KB5026366 Internet Explorer 11 cumulative update for Windows Server 2012 R2
- Security update KB5026409
We have provided all these patch links from the Microsoft Update Catalog and the direct download links below.
The size of the offline installer file for Servicing Stack Update KB5023790 is 10.7 MB.
- Download Internet Explorer cumulative update KB5026366 from Microsoft Update Catalog.
- Direct download link for KB5026366
The size of the cumulative update for Internet Explorer is 55 MB.
- Download the security update for KB5026409 from Microsoft Update Catalog
- Direct download link for KB5026409
The size of the security update KB5026409 is 35.4 MB.
Of all these updates, KB5023790 is the Servicing Stack Update and will not cause a server reboot.
KB5026366 and KB5026409 need a server reboot for successful deployment.
Vulnerabilities in Windows Server 2012 R2
There are 16 security vulnerabilities that affect Windows Server 2012 R2. We have listed the zero-day threats and ‘CRITICAL’ threats below.
Zero-day threats
The 3 zero-day threats that affect Windows Server 2012 R2 are mentioned below.
| Vulnerability | CVSS Score | Severity | Impact | Comments |
|---|---|---|---|---|
| CVE-2023-24932 | 6.7 | IMPORTANT | Secure Boot Security Feature Bypass | In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine. As part of the fix, Microsoft suggests reading emails in plain text in Microsoft Outlook. |
| CVE-2023-29325 | 8.1 | CRITICAL | Remote Code Execution | In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine. As part of the fix, Microsoft suggests reading emails in plain text in Microsoft Outlook. |
| CVE-2023-29336 | 7.8 | IMPORTANT | Elevation of Privileges | An attacker who successfully exploited this vulnerability could bypass Secure Boot. The attacker needs to have physical access or Administrative rights to a target device. To patch this vulnerability, please read the instructions on this page. |
CRITICAL vulnerabilities on Windows Server 2012 R2
The 5 CRITICAL vulnerabilities that affect Windows Server 2012 R2 are shared below. The mitigation steps, if any, have been mentioned as well.
| Vulnerability | CVSS Score | Severity | Impact | Comments |
|---|---|---|---|---|
| CVE-2023-24941 | 9.8 | CRITICAL | Remote Code Execution | This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). Mitigation steps are shared in the Microsoft advisory for CVE-2023-24941. |
| CVE-2023-24943 | 9.8 | CRITICAL | Remote Code Execution | When Windows Message Queuing service is running in a Pragmatic General Multicast (PGM) Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code. To mitigate risk, Microsoft recommends customers deploy newer technologies such as Unicast or Multicast server. Read more details of this vulnerability on the Microsoft advisory page. |
| CVE-2023-29325 | 8.1 | CRITICAL | Remote Code Execution | An attacker could exploit the vulnerability by sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine. To mitigate this vulnerability, Microsoft recommends users read email messages in plain text format |
| CVE-2023-24903 | 8.1 | CRITICAL | Remote Code Execution | This RCE vulnerability exists in Windows Secure Socket Tunneling Protocol (SSTP). To exploit this vulnerability, an attacker would need to send a specially crafted malicious SSTP packet to a SSTP server. This could result in remote code execution on the server side. |
| CVE-2023-28283 | 8.1 | CRITICAL | Remote Code Execution | This RCE vulnerability exists in Windows Lightweight Directory Access Protocol (LDAP). An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service. |
KB5026409 Changelog
The following changes are part of the KB5026409 security only update for Windows Server 2012 R2.
- By order of the Islamic Republic of Iran on September 22, 2022, daylight saving time (DST) will no longer be observed and the republic will remain on Iran Standard Time UTC+03:30.
- Local Kerberos authentication fails if the local Key Distribution Center (KDC) service is stopped. Additionally, all local Kerberos logons fail with the error STATUS_NETLOGON_NOT_STARTED.
- After the Windows Security-only update dated November 8, 2022, is installed, Kerberos constrained delegation (KCD) fails with the error message KRB_AP_ERR_MODIFIED on Read/Write Domain Controllers.
Security updates for June 2023
The following pages contain details of the security updates or cumulative updates for the month of June 2023:
- KB5027271 Monthly Rollup for Windows Server 2012 R2
- KB5027225 Cumulative Update for Windows Server 2022
- KB5027219 Cumulative Update for Windows Server 2016
- KB5027222 Cumulative Update Windows Server 2019
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.