KB5061018 is the ESU Monthly Rollup Update for Windows Server 2012 R2. It was released on 10 June 2025 under the ‘Patch Tuesday’ program.
Salient points
- KB5061018 supersedes KB5058403 released in June 2025.
- KB5061018 requires a Servicing Stack Update to be installed prior to installing the main monthly rollup update. KB5058529 is the SSU corresponding to KB5061018.
- If you install language pack after installing KB5061018, you would need to reinstall the security update once again. All language pack installations must be completed before installing the monthly rollup update on Windows Server 2012 R2.
- KB5061018 is an Extended Security Update. A valid subscription key to the ESU program is required before installing the monthly rollup update.
- You will also need to install KB5060996 IE Cumulative Update for Internet Explorer 11 on Windows Server 2012 R2. KB5060996 is an ESU or Extended Security Update.
- Windows Server 2012 R2 is impacted by 23 security vulnerabilities reported in June 2025 security bulletin. 3 of these vulnerabilities are ‘CRITICAL’.
- One vulnerability impacts IE 11 and needs to be addressed by installing ESU KB5060996 for IE 11.
- Two zero-day vulnerabilities affect Windows Server 2012 R2 and Windows Server 2012 Server Core installation.
Servicing Stack Update KB5058529
The Servicing Stack Update for Windows Server 2012 R2 for June 2025 is KB5058529. It corresponds to KB5061018.
For automated deployments of KB5061018 through the Windows Update program, the Servicing Stack Update KB5058529 is offered for installation as part of the installation process of the monthly rollup update KB5061018. No further action is needed to install KB5058529 for automated installations of KB5061018.
WSUS administrators need to authorize or approve KB5058529 before KB5061018 is fetched and installed in WSUS.
If you choose to deploy KB5061018 manually, you need to download and install KB5058529 on the Windows Server 2012 R2.
The Servicing Stack Update file is a small file of 10.5 MB. Upon installation, it would not cause server reboot. Once the SSU is installed, you can proceed with the installation of the main monthly rollup update KB5061018.
Download KB5061018
You can download the monthly rollup update KB5061018 for Windows Server 2012 R2 from the Windows Update Catalog page shared below:
We would reiterate that you need a valid ESU program subscription before you could install the ESU KB5061018 on Windows Server 2012 R2.
Zero-day Vulnerabilities
Two security vulnerabilities with zero-day threat levels affect Windows Server 2016 and Windows Server 2016 Server Core installation.
| CVE | Title | Severity | CVSS | Type |
| CVE-2025-33053 | Web Distributed Authoring and Versioning (WEBDAV) | Important | 8.8 | Remote Code Execution |
| CVE-2025-33073 | Windows SMB Client | Important | 8.8 | EoP |
Critical vulnerabilities
There are 23 reported security vulnerabilities in Windows Server 2012 R2 for June 2025. The 3 CRITICAL vulnerabilities affecting Windows Server 2012 R2 are shared below.
| CVE | Title | CVSS | Type |
| CVE-2025-33070 | Windows Netlogon | 8.1 | EoP |
| CVE-2025-33071 | Windows KDC Proxy Service (KPSSVC) | 8.1 | RCE |
| CVE-2025-32710 | Windows Remote Desktop Services | 8.1 | RCE |
KB5061018 – Changelog
Since this is an ESU, the focus remains on securing the Windows Server 2012 R2 deployments. The following changes have been reported for KB5061018:
- [Internal Windows OS] Miscellaneous security improvements were made to internal Windows OS functionality. No additional issues are documented for this release.
KB5060996 for Internet Explorer
You will also need to install KB5060996 Internet Explorer Cumulative Update. This Internet Explorer update is for Internet Explorer version 11.
KB5060096 is additional to the cumulative ESU update KB5061059. It is also an ESU or Extended Security Update and needs to be installed on Windows Server 2012 for full security coverage.
For automated installations through the WSUS program, IE Cumulative Update KB5060096 will be automatically installed on the Windows Server 2012 once you have authorized KB5061059.
For manual deployments, you can download the IE Cumulative ESU update KB5060996 from the following catalog link:
Rajesh Dhawan is a technology professional who loves to write about Cyber-security events and stories, Cloud computing and Microsoft technologies. He loves to break complex problems into manageable chunks of meaningful information.