KB5062557 is the cumulative update for Windows Server 2019 and Windows Server 2019 Server Core installation. It was released on 8 July, 2025 under the ‘Patch Tuesday’ release cycle.
Salient points
- KB5062557 supersedes June 2025 cumulative update KB5060531.
- KB5062557 corresponds to server build 17763.7558.
- 89 security vulnerabilities have been reported for Windows Server 2019 as part of the July security updates.
- There are 6 security vulnerabilities with CRITICAL severity. Information about these CRITICAL vulnerabilities is shared in the vulnerabilities section.
- No Zero-day vulnerabilities affect Windows Server 2019 and Windows Server 2019 Server Core installation.
- The Servicing Stack Update corresponding to KB5062557 is KB5062800 (17763.7557). It is in-built in the main cumulative update. Separate installation of the SSU or Servicing Stack is not needed.
- KB5005112 is the SSU that must be already deployed on Windows Server 2019. If you have not deployed this SSU, please download KB5005112 and apply on the server. This is a very old SSU released in August 2021. If you have followed the update release cycle, there is a high chance that you already have this patch on the server. SSU installation does not cause server reboot.
Download KB5062557
You may download the offline installer file for KB5062557 from the catalog site link shared below:
Upon installation of KB5062557, the server would restart. The Servicing Stack Update is already included in the main update and will be downloaded and installed as part of the installation process.
Zero-day vulnerabilities
There has been a single zero-day vulnerability disclosure by Microsoft under the ‘July Patch Tuesday’ update. The said zero-day vulnerability affects SQL Server.
No zero-day vulnerability affects Windows Server 2019 and Windows Server 2019 Server Core installation.
Critical vulnerabilities
The July security bulletin for Windows Server 2019 reports 89 security vulnerabilities. The 5 CRITICAL vulnerabilities affecting Windows Server 2019 are shared below.
| Vulnerability | CVSS | Impact | Description |
|---|---|---|---|
| CVE-2025-47981 | 9.8 | Remote Code Execution | SPNEGO Extended Negotiation (NEGOEX) Security Mechanism – Heap-based buffer overflow in Windows SPNEGO Extended Negotiation allows an unauthorized attacker to execute code over a network. |
| CVE-2025-47980 | 6.2 | Information disclosure | Exposure of sensitive information to an unauthorized actor in Windows Imaging Component allows an unauthorized attacker to disclose information locally. |
| CVE-2025-36350 | 5.6 | Information disclosure | The vulnerability assigned to this CVE is in certain processor models offered by AMD. It impacts Transient Scheduler Attack in Store Queue. Corresponding AMD vulnerability is AMD-SB-7029. |
| CVE-2025-36357 | 5.6 | Information disclosure | The vulnerability assigned to this CVE is in certain processor models offered by AMD. Corresponding AMD vulnerability is AMD-SB-7029. |
| CVE-2025-48822 | 8.6 | Remote Code Execution | Out-of-bounds read in Windows Hyper-V allows an unauthorized attacker to execute code locally. |
| CVE-2025-49735 | 8.1 | Remote Code Execution | An unauthenticated attacker could use a specially crafted application to leverage a cryptographic protocol vulnerability in Kerberos Key Distribution Center Proxy Service to perform remote code execution against the target. |
Changelog – KB5062557
The following changes or improvements are part of KB5062557 for Windows Server 2019:
- The update addresses security improvements for Windows Server 2019 and Windows Server 2019 Server Core installation.
- [Network Security and Containers] Fixed: An issue in the CharNextW function which caused incorrect character rendering for GB18030-2022 compliance. The function has been deprecated and replaced with a modern ICU-based solution to ensure proper handling of GB18030-2022 requirements.
- [DHCP Server (known issue] Fixed: An issue in which the DHCP Server service might intermittently stop responding and affects IP renewal for clients.
- [Microsoft RPC Netlogon protocol] This update includes a security hardening change to the Microsoft RPC Netlogon protocol. This change improves security by tightening access checks for a set of remote procedure call (RPC) requests. After this update is installed, Active Directory domain controllers will no longer allow anonymous clients to invoke some RPC requests through the Netlogon RPC server. These requests are typically related to domain controller location. Certain file and print service software can be affected, including Samba. If your organization uses Samba, please refer to the Samba release notes.
Simplifying technology, one step at a time.