KB5065509 is the ESU Monthly Rollup Update for Windows Server 2012. It was released on 9 September 2025 under the ‘Patch Tuesday’ program.
Salient points
- KB5065509 supersedes KB5063906 released in August 2025.
- KB5065509 requires the KB5065768 Servicing Stack Update to be installed prior to installing the main monthly rollup update.
- Without the installation of KB5065768, the ESU KB5065509 cannot be installed. For WSUS administrators, KB5065768 needs to be approved before KB5065509 will be fetched and deployed automatically.
- If you install language pack after installing KB5065509, you would need to reinstall the security update. All language pack installations must be completed before installing the monthly rollup update on Windows Server 2012.
- KB5065509 is an Extended Security Update. A valid subscription key to the ESU program is required before installing the monthly rollup update.
- Windows Server 2012 is impacted by 34 security vulnerabilities reported in September 2025 security bulletin.
- Three of these vulnerabilities have CRITICAL severity.
- Single zero-day vulnerability affects Windows Server 2012 and Windows Server 2012 Server Core installation in September security bulletin released alongside the Windows Updates on 9 September 2025.
Servicing Stack Update KB5065768
The Servicing Stack Update for Windows Server 2012 for September 2025 is KB5065768. It corresponds to KB5065509 ESU.
For automated deployments of KB5065509 through the Windows Update program, the Servicing Stack Update KB5065768 is offered for installation as part of the installation process of the monthly rollup update KB5065509.
The Servicing Stack Update file is a small file little under 10 MB. Upon installation, it would not cause server reboot.
Once the SSU is installed, you can proceed with the installation of the main monthly rollup update KB5065509.
Download KB5065509
You can download the monthly rollup update KB5065509 for Windows Server 2012 from the Windows Update Catalog page shared below:
We would reiterate that you need a valid ESU program subscription before you could install the ESU KB5065509 on Windows Server 2012.
Zero-day Vulnerabilities
Single zero-day security vulnerability affects Windows Server 2012 and Windows Server 2012 Server Core installation.
| Vulnerability | CVSS | Impact | Description |
|---|---|---|---|
| CVE-2025-55234 | 8.8 | Elevation of Privilege in Windows SMB | SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks. |
Critical vulnerabilities
There are 34 reported security vulnerabilities in Windows Server 2012 for September 2025. The 3 CRITICAL vulnerabilities affecting Windows Server 2012 are shared below.
| Vulnerability | CVSS | Impact | Description |
|---|---|---|---|
| CVE-2025-53799 | 5.5 | Information disclosure | Use of uninitialized resource in Windows Imaging Component allows an unauthorized attacker to disclose information locally. |
| CVE-2025-54918 | 8.8 | Elevation of Privilege | Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network. |
| CVE-2025-55226 | 6.7 | Remote Code Execution | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Graphics Kernel allows an authorized attacker to execute code locally. |
KB5065509 – Changelog
Since this is an ESU, the focus remains on securing the Windows Server 2012 deployments. The following changes have been reported for KB5065509:
- [Internal Windows OS] Miscellaneous security improvements were made to internal Windows OS functionality.
- [App compatibility (known issue)] Fixed: Addresses an issue that caused non-admin users to receive unexpected User Account Control (UAC) prompts when MSI installers perform certain custom actions. These actions might include configuration or repair operations in the foreground or background, during the initial installation of an application.
- [File Server] New! This update enables auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA. This allows customers to assess their environment and identify any potential device or software incompatibility issues before deploying the hardening measures that are already supported by SMB Server.
Cumulative Update for Internet Explorer – KB5065435
KB5065435 is the cumulative update for Internet Explorer released in September 2025.
For complete security coverage on the Windows Server 2012, you must install the cumulative update KB5065435 for Internet Explorer.
Simplifying technology, one step at a time.