KB5071543 for Windows Server 2016 – December 2025

KB5071543 is the cumulative update for Windows Server 2016 and Windows Server 2016 Server Core installation. It was released on 9 December, 2025 under the ‘Patch Tuesday’ release cycle.

Salient points

• KB5071543 supersedes November 2025 cumulative update KB5068864.
• KB5071543 corresponds to build 14393.8688.
• 57 Security vulnerabilities were disclosed by Microsoft in December 2025 security bulletin.
• 18 security vulnerabilities impact Windows Server 2016 and Windows Server 2016 Server Core installation as per December 2025 security report.
• One zero-day vulnerability has been reported for Windows Server 2016 in December 2025.
• No CRITICAL vulnerability has been reported for Windows Server 2016 in December 2025.
• The Servicing Stack Update corresponding to KB5071543 is KB5070247. For automated deployments of security updates (Windows Update and Windows Update for Business), the installation is included in the main cumulative update installation process. For manual patching, you will need to download and install the SSU KB5070247 before installing KB5071543.
• Incidentally, KB5070247 is the SSU released in November 2025. If you patched KB5068864 in November 2025, the SSU would have already been deployed during November. Fresh installation of SSU KB5070247 is not needed in such cases.

Important Reminders

• Support for cumulative updates for Windows Server 2016 will end on 12 January 2027.
• Secure booth certificates for Windows Server 2016 will expire in June 2026, Both UEFI Secure Boot DB and KEK need to be updated with the corresponding new 2023 certificate versions.

Servicing Stack Update KB5070247

KB5070247 is the Servicing Stack Update (SSU) for Windows Server 2016. For automated deployments of KB5071543, KB5070247 is automatically offered for installation as part of the installation of the main cumulative update.

For manual installations of KB5071543, you would need to download and install KB5070247 before installing KB5071543.

You can download the SSU KB5070247 from the Microsoft Update Catalog page:

• Download KB5070247 from the Microsoft Update Catalog site(12 MB)

Installing the Servicing Stack Update would not cause the server to reboot or restart. So, you could directly proceed with the installation of the main cumulative update for Windows Server 2016.

Zero-day Security vulnerabilities

One zero-day vulnerability has been reported for Windows Server 2016 or Windows Server 2016 Server Core installation in December 2025.

CVE Details	CVSS Score	Comments
CVE-2025-54100	7.8	Remote Code Execution Vulnerability in PowerShell (Windows)

Critical vulnerabilities

The December security bulletin for Windows Server 2016 reports 18 security vulnerabilities. All these vulnerabilities have IMPORTANT severity. None of these security vulnerabilities have CRITICAL security severity.

Download KB5071543

You may download the offline installer file for KB5071543 from the catalog site link shared below:

• Download KB5071543 from the Microsoft Update Catalog (1670.1 MB)

Upon installation of KB5071543, the server would restart.

Changelog – KB5071543

The following changes or improvements are part of KB5071543 for Windows Server 2016:

• [Internal Windows OS] This update contains miscellaneous security improvements to internal Windows OS functionality. No specific issues are documented for this release.
• [PowerShell 5.1] The Invoke-WebRequest command now includes a confirmation prompt with a security warning of a script execution risk. You can choose to continue or cancel the request. For additional details, see CVE-2025-54100 and KB5074596: PowerShell 5.1: Preventing script execution from web content.