KB5066836 is the cumulative update for Windows Server 2016 and Windows Server 2016 Server Core installation. It was released on 14 October, 2025 under the ‘Patch Tuesday’ release cycle.
Salient points
- KB5066836 supersedes September 2025 cumulative update KB5065427.
- KB5066836 corresponds to build 14393.8519.
- 6 zero-day vulnerabilities were disclosed by Microsoft in October 2025 security bulletin. 4 of these security vulnerabilities impact Windows Server 2016. Brief details of each vulnerability are shared in the vulnerabilities section.
- 73 security vulnerabilities impact Windows Server 2016. 2 of these have CRITICAL severity. Details of the critical security vulnerabilities are shared in the vulnerabilities section.
- The Servicing Stack Update corresponding to KB5066836 is KB5065687. This is the same SSU that was used last month in September 2025. Separate SSU for Windows Server 2016 has not been released in October 2025. If you installed KB5065427, the SSU would have already been deployed. For automated deployments of security updates (Windows Update and Windows Update for Business), the installation is included in the main cumulative update installation process. For manual patching, you will need to download and install the SSU KB5065687 before installing KB5066836.
Important Reminders
- Support for cumulative updates for Windows Server 2016 will end on 12 January 2027.
- Secure booth certificates for Windows Server 2016 will expire in June 2026, Both UEFI Secure Boot DB and KEK need to be updated with the corresponding new 2023 certificate versions.
Servicing Stack Update KB5065687
KB5065687 is the Servicing Stack Update (SSU) for Windows Server 2016. For automated deployments of KB5066836, KB5065687 is automatically offered for installation as part of the installation of the main cumulative update.
For manual installations of KB5066836, you would need to download and install KB5065687 before installing KB5066836. If KB5065427 was installed in September 2025, KB5065687 would have been already installed on the server during the last month’s ‘Patch Tuesday’ project.
You can download the SSU KB5065687 from the Microsoft Update Catalog page:
Installing the Servicing Stack Update would not cause the server to reboot or restart. So, you could directly proceed with the installation of the main cumulative update for Windows Server 2016.
Zero-day Security vulnerabilities
4 zero-day security vulnerabilities affect Windows Server 2016. Brief details of these vulnerabilities are shared here.
| Vulnerability | CVSS Score | Severity | Description |
|---|---|---|---|
| CVE-2025-24052 | 7.8 | Important | Elevation of Privileges affecting Windows Agere Modem Driver |
| CVE-2025-24990 | 7.8 | Important | Elevation of Privileges affecting Windows Agere Modem Driver |
| CVE-2025-47827 | 4.6 | Important | Secure Boot bypass in IGEL OS before 11 |
| CVE-2025-59230 | 7.8 | Important | Elevation of Privileges vulnerabity in remote access connection manager |
Critical vulnerabilities
The October security bulletin for Windows Server 2016 reports 73 security vulnerabilities. The 2 CRITICAL vulnerabilities affecting Windows Server 2016 are shared below.
| Vulnerability | CVSS | Description |
|---|---|---|
| CVE-2025-59287 | 9.8 | Windows Server Update Service (WSUS) Remote Code Execution Vulnerability |
| CVE-2016-9535 | 4.0 | LibTIFF Heap Buffer Overflow Vulnerability |
Download KB5066836
You may download the offline installer file for KB5066836 from the catalog site link shared below:
Upon installation of KB5066836, the server would restart.
Changelog – KB5066836
The following changes or improvements are part of KB5065427 for Windows Server 2016:
- [Windows Remote Management (WinRM)] Fixed: An issue that affects PowerShell Remoting and WinRM in which commands time out after 600 seconds.
- [Stability issue] Fixed: This update addresses an issue observed in rare cases after installing the May 2025 security update and subsequent updates causing devices to experience stability issues. Some devices became unresponsive and stopped responding in specific scenarios.
- [Fax modem driver] This update removes the ltmdm64.sys driver. Fax modem hardware dependent on this specific driver will no longer work in Windows.
Simplifying technology, one step at a time.