KB5065507 is the ESU Monthly Rollup Update for Windows Server 2012 R2. It was released on 9 September 2025 under the ‘Patch Tuesday’ program.
Salient points
- KB5065507 supersedes KB5063950 released in August 2025.
- KB5065507 requires a Servicing Stack Update to be installed prior to installing the main monthly rollup update. KB5065767 is the SSU corresponding to KB5065507.
- If you install language pack after installing KB5065507, you would need to reinstall the security update once again. All language pack installations must be completed before installing the monthly rollup update on Windows Server 2012 R2.
- KB5065507 is an Extended Security Update. A valid subscription key to the ESU program is required before installing the monthly rollup update.
- Windows Server 2012 R2 is impacted by 35 security vulnerabilities reported in August 2025 security bulletin. 3 of these vulnerabilities are ‘CRITICAL’.
- Single zero-day vulnerability affects Windows Server 2012 R2 and Windows Server 2012 Server Core installation.
Servicing Stack Update KB5065767
The Servicing Stack Update for Windows Server 2012 R2 for September 2025 is KB5065767. It corresponds to KB5065507 ESU.
For automated deployments of KB5065509 through the Windows Update program, the Servicing Stack Update KB5065767 is offered for installation as part of the installation process of the monthly rollup update KB5065507. No further action is needed to install KB5065767 for automated installations of KB5065507.
WSUS administrators need to authorize or approve KB5065767 before KB5065509 is fetched and installed in WSUS.
If you choose to deploy KB5065509 manually, you need to download and install KB5065767 on the Windows Server 2012 R2.
The Servicing Stack Update file is a small file of 10.6 MB. Upon installation, it would not cause server reboot. Once the SSU is installed, you can proceed with the installation of the main monthly rollup update KB5063950.
Download KB5065507
You can download the monthly rollup update KB5065507 for Windows Server 2012 R2 from the Windows Update Catalog page shared below:
We would reiterate that you need a valid ESU program subscription before you could install the ESU KB5065507 on Windows Server 2012 R2.
Zero-day Vulnerabilities
Single security vulnerability with zero-day threat levels affect Windows Server 2012 R2 and Windows Server 2012 R2 Server Core installation.
| Vulnerability | CVSS | Impact | Description |
|---|---|---|---|
| CVE-2025-55234 | 8.8 | Elevation of Privilege in Windows SMB | SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks. |
Critical vulnerabilities
There are 35 reported security vulnerabilities in Windows Server 2012 R2 for September 2025. The 3 CRITICAL vulnerabilities affecting Windows Server 2012 R2 are shared below.
| Vulnerability | CVSS | Impact | Description |
|---|---|---|---|
| CVE-2025-53799 | 5.5 | Information disclosure | Use of uninitialized resource in Windows Imaging Component allows an unauthorized attacker to disclose information locally. |
| CVE-2025-54918 | 8.8 | Elevation of Privilege | Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network. |
| CVE-2025-55226 | 6.7 | Remote Code Execution | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Graphics Kernel allows an authorized attacker to execute code locally. |
KB5065507 – Changelog
Since this is an ESU, the focus remains on securing the Windows Server 2012 R2 deployments. The following changes have been reported for KB5065507:
- [Internal Windows OS] Miscellaneous security improvements were made to internal Windows OS functionality.
- [App compatibility (known issue)] Fixed: Addresses an issue that caused non-admin users to receive unexpected User Account Control (UAC) prompts when MSI installers perform certain custom actions. These actions might include configuration or repair operations in the foreground or background, during the initial installation of an application.
- [File Server] New! This update enables auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA. This allows customers to assess their environment and identify any potential device or software incompatibility issues before deploying the hardening measures that are already supported by SMB Server.
Cumulative Update for Internet Explorer – KB5065435
KB5065435 is the cumulative update for Internet Explorer released in September 2025. Before installing the ESU for Windows Server 2012 R2, you will need to ensure that Internet Explorer update for the server is installed as well.
Simplifying technology, one step at a time.