KB5065427 is the cumulative update for Windows Server 2016 and Windows Server 2016 Server Core installation. It was released on 9 Spetmber, 2025 under the ‘Patch Tuesday’ release cycle.
Salient points
- KB5065427 supersedes August 2025 cumulative update KB5063871.
- KB5065427 corresponds to build 14393.8422.
- One zero-day vulnerability has been reported for Windows Server 2016 in September 2025 security bulletin.
- 44 security vulnerabilities have been reported for Windows Server 2016 in September 2025.
- 4 of these vulnerabilities have CRITICAL severity. The information about CRITICAL vulnerabilities is mentioned in the vulnerabilities section.
- The Servicing Stack Update corresponding to KB5065427 is KB5065687. For automated deployments of security updates (Windows Update and Windows Update for Business), the installation is included in the main cumulative update installation process. For manual patching, you will need to download and install the SSU KB5065687 before installing KB5065427.
Important Reminders
- Support for cumulative updates for Windows Server 2016 will end on 12 January 2027.
- Secure booth certificates for Windows Server 2016 will expire in June 2026, Both UEFI Secure Boot DB and KEK need to be updated with the corresponding new 2023 certificate versions.
Servicing Stack Update KB5065687
KB5065687 is the Servicing Stack Update (SSU) for Windows Server 2016. For automated deployments of KB5065427, KB5065687 is automatically offered for installation as part of the installation of the main cumulative update.
For manual installations of KB5065427, you would need to download and install KB5065687 before installing KB5065427.
You can download the SSU KB5065687 from the Microsoft Update Catalog page:
Installing the Servicing Stack Update would not cause the server to reboot or restart. So, you could directly proceed with the installation of the main cumulative update for Windows Server 2016.
Download KB5065427
You may download the offline installer file for KB5065427 from the catalog site link shared below:
Upon installation of KB5065427, the server would restart.
Zero-day Vulnerabilities
One zero-day security vulnerability affects Windows Server 2016 and Windows Server 2016 Server Core installation.
| Vulnerability | CVSS | Impact | Description |
|---|---|---|---|
| CVE-2025-55234 | 8.8 | Elevation of Privilege in Windows SMB | SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks. |
Critical vulnerabilities
There are 44 reported security vulnerabilities in Windows Server 2016 for September 2025. The 4 CRITICAL vulnerabilities affecting Windows Server 2016 are shared below.
| Vulnerability | CVSS | Impact | Description |
|---|---|---|---|
| CVE-2025-53799 | 5.5 | Information disclosure | Use of uninitialized resource in Windows Imaging Component allows an unauthorized attacker to disclose information locally. |
| CVE-2025-53800 | 7.8 | Elevation of Privilege | No cwe for this issue in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. |
| CVE-2025-54918 | 8.8 | Elevation of Privilege | Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network. |
| CVE-2025-55226 | 6.7 | Remote Code Execution | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Graphics Kernel allows an authorized attacker to execute code locally. |
Changelog – KB5065427
The following changes or improvements are part of KB5065427 for Windows Server 2016:
- [App compatibility (known issue)] Fixed: Addresses an issue that caused non-admin users to receive unexpected User Account Control (UAC) prompts when MSI installers perform certain custom actions. These actions might include configuration or repair operations in the foreground or background, during the initial installation of an application.
- [File Server] New! This update enables auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA. This allows customers to assess their environment and identify any potential device or software incompatibility issues before deploying the hardening measures that are already supported by SMB Server.
- The update addresses security vulnerabilities in Windows Server 2016.
Simplifying technology, one step at a time.