KB5026411 security update for Windows Server 2012

KB5026411 is the security update for Windows Server 2012. It addresses security changes on Windows Server 2012 and differs from the monthly rollup update KB5026419. KB5026411 was released on 9th May 2023.

Salient points about KB5026411

  • KB5026411 is a standalone security update. It is not a cumulative update. For full security coverage on Windows Server 2012, you will need to install all the previous security updates.
  • As a recommendation, we suggest patching Windows Server 2012 with the monthly rollup update KB5026419. KB5026419 contains all changes that are part of the KB5026411 security update.
  • KB5023791 is the Servicing Stack Update that needs to be deployed prior to installing KB5026411 on Windows Server 2012.
  • KB5026366 is the latest cumulative update for Internet Explorer. You will need to patch it on the server for complete security coverage.
  • The issue with language packs still affects Windows Server 2012. If you install a language pack after installing KB5026411, you must redeploy KB5026411.
  • 16 security vulnerabilities affect Windows Server 2012.
  • 5 of these vulnerabilities have CRITICAL significance. Two of the CRITICAL vulnerabilities have a CVSS rating of 9.8.
  • There are 3 zero-day threats on the server. All these are mentioned in the vulnerability section below.

Download KB5026411

KB5026411 is a standalone update that can be deployed using WSUS or manually.

The preferred method is WSUS or Windows Server Update Service. However, you can also download the installer file for KB5026411 from the Microsoft Update Catalog site.

For ready reference, we have shared the catalog links and direct download links for KB5026411 below.

Prior to installing KB5026411 on Windows Server 2012, you have to perform two prerequisite steps.

  • Install Servicing Stack Update KB5023791
  • Install Internet Explorer cumulative update KB5026366

The download links for KB5023791 and KB5026366 are given below.

The size of the SSU file is 9.8 MB and it will not lead to server reboot. This Servicing Stack Update was released in March 2023.

Vulnerabilities in Windows Server 2012

There are 16 security vulnerabilities in Windows Server 2012. There are 3 zero-day threats and 5 CRITICAL vulnerabilities in Windows Server 2012.

Zero-day threats in Windows Server 2012

The following 3 zero-day threats affect Windows Server 2012.

VulnerabilityCVSS ScoreSeverityImpactComments
CVE-2023-249326.7IMPORTANTSecure Boot Security Feature BypassIn an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine.

As part of the fix, Microsoft suggests reading emails in plain text in Microsoft Outlook.
CVE-2023-293258.1CRITICALRemote Code ExecutionIn an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine.

As part of the fix, Microsoft suggests reading emails in plain text in Microsoft Outlook.
CVE-2023-293367.8IMPORTANTElevation of PrivilegesAn attacker who successfully exploited this vulnerability could bypass Secure Boot. The attacker needs to have physical access or Administrative rights to a target device. To patch this vulnerability, please read the instructions on this page.

CRITICAL vulnerabilities in Windows Server 2012

The following 5 CRITICAL vulnerabilities impact the Windows Server 2012.

VulnerabilityCVSS ScoreSeverityImpactComments
CVE-2023-249419.8CRITICALRemote Code ExecutionThis vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE).
Mitigation steps are shared in the Microsoft advisory for CVE-2023-24941.
CVE-2023-249439.8CRITICALRemote Code ExecutionWhen Windows Message Queuing service is running in a Pragmatic General Multicast (PGM) Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code.
To mitigate risk, Microsoft recommends customers deploy newer technologies such as Unicast or Multicast server.
Read more details of this vulnerability on the Microsoft advisory page.
CVE-2023-293258.1CRITICALRemote Code ExecutionAn attacker could exploit the vulnerability by sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine.

To mitigate this vulnerability, Microsoft recommends users read email messages in plain text format
CVE-2023-249038.1CRITICALRemote Code ExecutionThis RCE vulnerability exists in Windows Secure Socket Tunneling Protocol  (SSTP). To exploit this vulnerability, an attacker would need to send a specially crafted malicious SSTP packet to a SSTP server. This could result in remote code execution on the server side.
CVE-2023-282838.1CRITICALRemote Code ExecutionThis RCE vulnerability exists in Windows Lightweight Directory Access Protocol (LDAP). An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service.

KB5026411 – Changelog

The following changes are part of the KB5026411 security update.

  • By order of the Islamic Republic of Iran on September 22, 2022, daylight saving time (DST) will no longer be observed and the republic will remain on Iran Standard Time UTC+03:30.
  • Local Kerberos authentication fails if the local Key Distribution Center (KDC) service is stopped. Additionally, all local Kerberos logons fail with the error STATUS_NETLOGON_NOT_STARTED.
  • After the Windows Security-only update dated November 8, 2022, is installed, Kerberos constrained delegation (KCD) fails with the error message KRB_AP_ERR_MODIFIED on Read/Write Domain Controllers.

How useful was this post?

Click on a star to rate it!

We are sorry that this post was not useful for you!

Let us improve this post!

Tell us how we can improve this post?

Rajesh Dhawan

Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.