KB5072033 is the cumulative update for Windows Server 2025 version 24H2. It was released on 9 December 2025 under the ‘Patch Tuesday’ program of Microsoft.
Salient points
- KB5072033 supersedes November 2025 cumulative update KB5068861 for Windows Server 2025.
- KB5072033 includes all changes that are part of the preview update KB5070311. The preview update was last released on 1 December 2025.
- KB5072033 security update corresponds to the build 26100.7462.
- In December, a total of 57 security vulnerabilities are reported by Microsoft in the latest security report.
- 37 security vulnerabilities have been reported in December 2025 security bulletin for Windows Server 2025.
- 2 of these 32 vulnerabilities are zero-day vulnerabilities.
- The Servicing Stack Update corresponding to KB5072033 is KB5071142 (26100.7295). It is in-built in the main cumulative update. Separate installation of the SSU or Servicing Stack is not needed.
- The AI components have been updated to versions 1.2511.1244.0. The AI components updated include the image search, content extraction, and semantic analysis.
Zero-day vulnerabilities
Two zero-day vulnerability affects Windows Server 2025 24H2 edition. The zero-day vulnerabilities are either publicly disclosed or have proven instances of exploitation. In this case, it has been found that the zero-day has been exploited by threat actors. So, immediate patching of the security update is needed.
| CVE Details | CVSS Score | Comments |
|---|---|---|
| CVE-2025-62221 | 7.8 | Elevation of Privilege Vulnerability IN Windows Cloud Files Mini Filter Driver |
| CVE-2025-54100 | 7.8 | Remote Code Execution Vulnerability in PowerShell (Windows) |
Critical vulnerabilities
There are no Critical vulnerabilities on Windows Server 2025 in the December 2025 security bulletin.
AI Components
The following AI components for Windows Server 2025 have been updated to the latest version 1.2511.1244.0:
- Image Search
- Content Extraction
- Semantic Analysis
- Settings Model
Download KB5072033
You may download the offline installer file for KB5072033 from the catalog site link shared below:
The update file is available for x64 and ARM64 deployments. Upon installation of KB5072033, the server would restart. So, do plan as a structured change.
Changelog – KB5072033
The following changes or improvements are part of KB5072033 for Windows Server 2025:
- This update addresses security issues detected and shared for Windows Server 2025 24H2 editions.
- [Copilot] Fixed: This update addresses an issue where Ask Copilot didn’t activate the Click to Do window as expected. The window now appears in the foreground when you share data with Copilot.
- [File Explorer (known issue)] Fixed: This update addresses an issue where File Explorer briefly flashes white when you navigate between pages. This issue might occur after you install KB5070311.
- [Networking] Fixed: This update fixes an issue where external virtual switches lose their physical network adapter (NIC) bindings after a host restart. When this happens, the switches revert to internal mode, resulting in loss of network connectivity for virtual machines and blocking normal server operations.
- [PowerShell 5.1] Invoke-WebRequest now includes a confirmation prompt with a security warning of script execution risk. You can choose to continue or cancel the request. For additional details, see CVE-2025-54100 and KB5074596: PowerShell 5.1: Preventing script execution from web content.
Important Reminder for Secure Boot Services
It is important to note that the Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Secure Boot is a security feature in Unified Extensible Firmware Interface (UEFI) based firmware that helps ensure that only trusted software runs during a device’s boot (start) sequence.
Since Windows introduced Secure Boot support, all Windows-based devices have carried the same set of Microsoft certificates in the KEK and DB. These original certificates are nearing their expiration date, and your device is affected if it has any of the listed certificate versions. To continue running Windows and receiving regular updates for your Secure Boot configuration, you will need to update these certificates.
Simplifying technology, one step at a time.