KB5063950 is the ESU Monthly Rollup Update for Windows Server 2012 R2. It was released on 12 August 2025 under the ‘Patch Tuesday’ program.
Salient points
- KB5063950 supersedes KB5062597 released in July 2025.
- KB5063950 requires a Servicing Stack Update to be installed prior to installing the main monthly rollup update. KB5058529 is the SSU corresponding to KB5063950. KB5058529 is also the SSU for July 2025. So, if you installed the ESU last month in July, the SSU installation is already completed.
- If you install language pack after installing KB5063950, you would need to reinstall the security update once again. All language pack installations must be completed before installing the monthly rollup update on Windows Server 2012 R2.
- KB5063950 is an Extended Security Update. A valid subscription key to the ESU program is required before installing the monthly rollup update.
- Windows Server 2012 R2 is impacted by 44 security vulnerabilities reported in August 2025 security bulletin. 3 of these vulnerabilities are ‘CRITICAL’.
- No zero-day vulnerabilities affect Windows Server 2012 R2 and Windows Server 2012 Server Core installation.
Servicing Stack Update KB5058529
The Servicing Stack Update for Windows Server 2012 R2 for June, July, and August 2025 is KB5058529. It corresponds to KB5061018, KB5062597, and also the KB5063950 ESU.
For automated deployments of KB5063950 through the Windows Update program, the Servicing Stack Update KB5058529 is offered for installation as part of the installation process of the monthly rollup update KB5063950. No further action is needed to install KB5058529 for automated installations of KB5063950.
WSUS administrators need to authorize or approve KB5058529 before KB5063950 is fetched and installed in WSUS.
If you choose to deploy KB5063950 manually, you need to download and install KB5058529 on the Windows Server 2012 R2. If KB5061018 or KB5062597 were installed in the previous months, SSU installation can be skipped as it is already installed during previous month’s update cycle.
The Servicing Stack Update file is a small file of 10.5 MB. Upon installation, it would not cause server reboot. Once the SSU is installed, you can proceed with the installation of the main monthly rollup update KB5063950.
Download KB5063950
You can download the monthly rollup update KB5063950 for Windows Server 2012 R2 from the Windows Update Catalog page shared below:
We would reiterate that you need a valid ESU program subscription before you could install the ESU KB5063950 on Windows Server 2012 R2.
Zero-day Vulnerabilities
No security vulnerabilities with zero-day threat levels affect Windows Server 2012 R2 and Windows Server 2012 R2 Server Core installation.
Critical vulnerabilities
There are 44 reported security vulnerabilities in Windows Server 2012 R2 for July 2025. The 3 CRITICAL vulnerabilities affecting Windows Server 2012 R2 are shared below.
| Vulnerability | CVSS | Impact | Description |
|---|---|---|---|
| CVE-2025-53766 | 9.8 | Remote Code Execution | Heap-based buffer overflow in Windows GDI+ allows an unauthorized attacker to execute code over a network. |
| CVE-2025-53778 | 8.8 | Elevation of Privilege | Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network. |
| CVE-2025-50177 | 8.1 | Remote Code Execution | Use after free in Windows Message Queuing allows an unauthorized attacker to execute code over a network. |
KB5063950 – Changelog
Since this is an ESU, the focus remains on securing the Windows Server 2012 R2 deployments. The following changes have been reported for KB5063950:
- [Internal Windows OS] Miscellaneous security improvements were made to internal Windows OS functionality. No additional issues are documented for this release.
Simplifying technology, one step at a time.