KB5026415 is the latest monthly rollup update for Windows Server 2012 R2 for the month of May 2023. It was released on 9th May as part of the ‘Patch Tuesday’ initiative.
Salient points about KB5026415
- KB5026415 is a cumulative update and replaces the KB5025285 update. KB5025285 is also a monthly rollup update that was released on 11th April 2023.
- KB5026415 contains all the changes that are part of the May 2023 security-only update KB5026409.
- We strongly suggest patching Windows Server 2012 R2 with the monthly rollup update as it is a cumulative update. KB5026409 is a security-only update and standalone in nature.
- KB5023790 is the Servicing Stack Update for Windows Server 2012 R2. This SSU corresponds to KB5026415 and should be deployed prior to the installation of KB5026415.
- Windows Server 2012 R2 is impacted by 16 security vulnerabilities. 5 of these security vulnerabilities have a ‘CRITICAL’ severity and the remaining 11 have ‘IMPORTANT’ severity.
- There are 3 zero-day threats that affect Windows Server 2012 R2. Details are in the vulnerability section.
Download KB5026415
KB5026415 can be automatically deployed using one of the following suggested methods:
- Windows Update
- WSUS or Windows Server Update Service
Apart from this, you can also download the offline installer file for KB5026415 for manual patching.
You can choose to download the installer file directly from the Microsoft Update Catalog page. Or, you can use the direct download link shared below to download the file from the Microsoft website.
It may be a good point to reiterate that Servicing Stack Update KB5023790 needs to be deployed prior to deploying KB5026415. So, we have shared the SSU download links as well.
The size of the Servicing Stack Update file is 10.7 MB. This SSU was released in March 2023. Upon installation, Servicing Stack Update does not cause a server reboot.
Once the SSU has been added to the server, you can download and deploy the monthly rollup update.
The size of the KB5026415 update file is 571.5 MB.
Vulnerabilities in Windows Server 2012 R2
There are 16 security vulnerabilities that affect Windows Server 2012 R2. We have listed the zero-day threats and ‘CRITICAL’ threats below.
Zero-day threats
The 3 zero-day threats that affect Windows Server 2012 R2 are mentioned below.
| Vulnerability | CVSS Score | Severity | Impact | Comments |
|---|---|---|---|---|
| CVE-2023-24932 | 6.7 | IMPORTANT | Secure Boot Security Feature Bypass | In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine. As part of the fix, Microsoft suggests reading emails in plain text in Microsoft Outlook. |
| CVE-2023-29325 | 8.1 | CRITICAL | Remote Code Execution | In an email attack scenario, an attacker could exploit the vulnerability by sending a specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine. As part of the fix, Microsoft suggests reading emails in plain text in Microsoft Outlook. |
| CVE-2023-29336 | 7.8 | IMPORTANT | Elevation of Privileges | An attacker who successfully exploited this vulnerability could bypass Secure Boot. The attacker needs to have physical access or Administrative rights to a target device. To patch this vulnerability, please read the instructions on this page. |
CRITICAL vulnerabilities on Windows Server 2012 R2
The 5 CRITICAL vulnerabilities that affect Windows Server 2012 R2 are shared below. The mitigation steps, if any, have been mentioned as well.
| Vulnerability | CVSS Score | Severity | Impact | Comments |
|---|---|---|---|---|
| CVE-2023-24941 | 9.8 | CRITICAL | Remote Code Execution | This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). Mitigation steps are shared in the Microsoft advisory for CVE-2023-24941. |
| CVE-2023-24943 | 9.8 | CRITICAL | Remote Code Execution | When Windows Message Queuing service is running in a Pragmatic General Multicast (PGM) Server environment, an attacker could send a specially crafted file over the network to achieve remote code execution and attempt to trigger malicious code. To mitigate risk, Microsoft recommends customers deploy newer technologies such as Unicast or Multicast server. Read more details of this vulnerability on the Microsoft advisory page. |
| CVE-2023-29325 | 8.1 | CRITICAL | Remote Code Execution | An attacker could exploit the vulnerability by sending the specially crafted email to the victim. Exploitation of the vulnerability might involve either a victim opening a specially crafted email with an affected version of Microsoft Outlook software, or a victim’s Outlook application displaying a preview of a specially crafted email. This could result in the attacker executing remote code on the victim’s machine. To mitigate this vulnerability, Microsoft recommends users read email messages in plain text format |
| CVE-2023-24903 | 8.1 | CRITICAL | Remote Code Execution | This RCE vulnerability exists in Windows Secure Socket Tunneling Protocol (SSTP). To exploit this vulnerability, an attacker would need to send a specially crafted malicious SSTP packet to a SSTP server. This could result in remote code execution on the server side. |
| CVE-2023-28283 | 8.1 | CRITICAL | Remote Code Execution | This RCE vulnerability exists in Windows Lightweight Directory Access Protocol (LDAP). An unauthenticated attacker who successfully exploited this vulnerability could gain code execution through a specially crafted set of LDAP calls to execute arbitrary code within the context of the LDAP service. |
KB5026415 Changelog
The following changes are part of the KB5026415 monthly rollup update:
- By order of the Islamic Republic of Iran on September 22, 2022, daylight saving time (DST) will no longer be observed and the republic will remain on Iran Standard Time UTC+03:30.
- Local Kerberos authentication fails if the local Key Distribution Center (KDC) service is stopped. Additionally, all local Kerberos logons fail with the error STATUS_NETLOGON_NOT_STARTED.
- After the Windows Monthly Rollup dated on or after November 8, 2022, is installed, Kerberos constrained delegation (KCD) fails with the error message KRB_AP_ERR_MODIFIED on Read/Write Domain Controllers.
Important links
- Microsoft release notes for KB5026415
- Catalog site for KB5026415
- Zero-day initiative vulnerability coverage for May 2023 security updates
Other security updates for May 2023:
- KB5026370 cumulative update for Windows Server 2022
- KB5026362 cumulative update for Windows Server 2019
- KB5026363 May 2023 cumulative update for Windows Server 2016
Rajesh Dhawan is a technology professional who loves to blog about smart wearables, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.