KB5065428 is the cumulative update for Windows Server 2019 and Windows Server 2019 Server Core installation. It was released on 9 September, 2025 under the ‘Patch Tuesday’ release cycle.
Salient points
- KB5065428 supersedes August 2025 cumulative update KB5063877.
- KB5065428 also includes all changes that are part of the out of band update released on 19 August 2025, KB5066187. If you did not install the OOB (out of band) update, you can skip it and install this month’s cumulative update KB5065428 directly.
- KB5065428 corresponds to Windows server build 17763.7792.
- 50 security vulnerabilities have been reported for Windows Server 2019 as part of the September security updates.
- There are 6 security vulnerabilities with CRITICAL severity. Information about these CRITICAL vulnerabilities is shared in the vulnerabilities section.
- Single Zero-day vulnerability affects Windows Server 2019 and Windows Server 2019 Server Core installation.
- The Servicing Stack Update corresponding to KB5065428 is KB5065765 (17763.7781). It is in-built in the main cumulative update. Separate installation of the SSU or Servicing Stack is not needed.
- KB5005112 is the SSU that must be already deployed on Windows Server 2019. If you have not deployed this SSU, please download KB5005112 and apply on the server. This is a very old SSU released in August 2021. If you have followed the update release cycle, there is a high chance that you already have this patch on the server. SSU installation does not cause server reboot.
Important Reminders
Apart from this, it is important to note that the Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Secure Boot is a security feature in Unified Extensible Firmware Interface (UEFI) based firmware that helps ensure that only trusted software runs during a device’s boot (start) sequence.
Since Windows introduced Secure Boot support, all Windows-based devices have carried the same set of Microsoft certificates in the KEK and DB. These original certificates are nearing their expiration date, and your device is affected if it has any of the listed certificate versions. To continue running Windows and receiving regular updates for your Secure Boot configuration, you will need to update these certificates.
Download KB5065765
KB5065765 is the Servicing Stack Update for Windows Server 2019 released in September 2025 alongside the main cumulative update KB5065428.
If you intend to deploy cumulative updates through Windows Update or Windows Update for Business, no action is needed to install the Servicing Stack Update. The Servicing Stack Update is part of the security update that will be installed on Windows Server 2019.
For manual installation of KB5065428, you need to deploy the SSU KB5065765 before installing KB5065428. The offline installer file for KB5065765 can be downloaded from the catalog page.
The SSU will not lead to server reboot. It is a small update file that can be installed prior to installing the main cumulative update for Windows Server 2019.
Download KB5065428
You may download the offline installer file for KB5065428 from the catalog site link shared below:
Upon installation of KB5065428, the server would restart. The Servicing Stack Update is already included in the main update and will be downloaded and installed as part of the installation process.
Zero-day vulnerabilities
Single zero-day vulnerability has been reported for Windows Server 2019 in September 2025.
| Vulnerability | CVSS | Impact | Description |
|---|---|---|---|
| CVE-2025-55234 | 8.8 | Elevation of Privilege in Windows SMB | SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks. |
Critical vulnerabilities
The security bulletin for Windows Server 2019 reports 50 security vulnerabilities. The 6 CRITICAL vulnerabilities affecting Windows Server 2019 are shared below.
| Vulnerability | CVSS | Impact | Description |
|---|---|---|---|
| CVE-2025-53799 | 5.5 | Information disclosure | Use of uninitialized resource in Windows Imaging Component allows an unauthorized attacker to disclose information locally. |
| CVE-2025-53800 | 7.8 | Elevation of Privilege | No cwe for this issue in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. |
| CVE-2025-54918 | 8.8 | Elevation of Privilege | Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network. |
| CVE-2025-55226 | 6.7 | Remote Code Execution | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Graphics Kernel allows an authorized attacker to execute code locally. |
| CVE-2025-55224 | 7.8 | Remote Code Execution | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Win32K – GRFX allows an authorized attacker to execute code locally. |
| CVE-2025-55236 | 7.3 | Remote Code Execution | Time-of-check time-of-use (toctou) race condition in Graphics Kernel allows an authorized attacker to execute code locally. |
Changelog – KB5065428
The following changes or improvements are part of KB5065428 for Windows Server 2019:
- The update addresses security improvements for Windows Server 2019 and Windows Server 2019 Server Core installation.
- [Active Directory] New! Adds support for Certificate Revocation List (CRL) partitioning in Windows Certificate Authorities.
- [App compatibility (known issue)] Fixed: Addresses an issue that caused non-admin users to receive unexpected User Account Control (UAC) prompts when MSI installers perform certain custom actions. These actions might include configuration or repair operations in the foreground or background, during the initial installation of an application.
- File Server] New! This update enables auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA. This allows customers to assess their environment and identify any potential device or software incompatibility issues before deploying the hardening measures that are already supported by SMB Server.
Simplifying technology, one step at a time.