KB5087539 is the cumulative update for Windows Server 2025 version 24H2. It was released on 12 May 2026 under the ‘Patch Tuesday’ program of Microsoft.
Salient points
- KB5087539 supersedes April 2026 cumulative update KB5072063 for Windows Server 2025.
- KB5087539 security update corresponds to the build 26100.32860.
- KB50787539 also includes all changes that are part of the out of band update KB5091157 released on 19 April 2026.
- In May, a total of 63 security vulnerabilities are reported by Microsoft in the latest security report that affect Windows Server 2025.
- No zero-day vulnerabilities affect Windows Server 2025.
- Five CRITICAL security vulnerabilities affect Windows Server 2025 in May Patch Tuesday cycle.
- The Servicing Stack Update corresponding to KB5087539 is KB5089717 (26100.32837). It is in-built in the main cumulative update. Separate installation of the SSU or Servicing Stack is not needed.
Zero-day vulnerabilities
No zero-day vulnerability affects Windows Server 2025 24H2 edition. The zero-day vulnerabilities are either publicly disclosed or have proven instances of exploitation.
Critical vulnerabilities
Five Critical vulnerabilities have been disclosed on Windows Server 2025 in the April 2026 security bulletin.
| Vulnerability | CVSS | Impact | Comments |
|---|---|---|---|
| CVE-2026-32161 | 7.5 | Remote Code Execution | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Native WiFi Miniport Driver allows an unauthorized attacker to execute code over an adjacent network. |
| CVE-2026-35421 | 7.8 | Remote Code Execution | Heap-based buffer overflow in Windows GDI allows an unauthorized attacker to execute code locally. |
| CVE-2026-40403 | 8.8 | Remote Code Execution | Heap-based buffer overflow in Windows Win32K – GRFX allows an authorized attacker to execute code locally. |
| CVE-2026-41089 | 9.8 | Remote Code Execution | Stack-based buffer overflow in Windows Netlogon allows an unauthorized attacker to execute code over a network. |
| CVE-2026-41096 | 9.3 | Remote Code Execution | Heap-based buffer overflow in Microsoft Windows DNS allows an unauthorized attacker to execute code over a network. |
Download KB5087539
You may download the offline installer file for KB5087539 from the catalog site link shared below:
The update file is available for x64 and ARM64 deployments. Upon installation of KB5087539, the server would restart. So, do plan as a structured change.
Changelog – KB5087539
The following changes or improvements are part of KB5087539 for Windows Server 2025:
- This update addresses security issues detected and shared for Windows Server 2025 24H2 editions.
- [Secure Boot] With this update, Windows quality updates include additional high confidence device targeting data, increasing coverage of devices eligible to automatically receive new Secure Boot certificates. Devices receive the new certificates only after demonstrating sufficient successful update signals, maintaining a controlled and phased rollout.
- [Connectivity] This update improves the reliability of Simple Service Discovery Protocol (SSDP) notifications to help prevent the service from becoming unresponsive.
- [Daylight saving time (DST)] This update supports the 2023 DST change for the Arab Republic of Egypt.
- [Remote Desktop] This update improves protection against phishing attacks that use Remote Desktop (.rdp) files. When you open an .rdp file, Remote Desktop shows all requested connection settings before it connects, with each setting turned off by default. A one-time security warning also appears the first time you open an .rdp file on a device. For more information, see Understanding security warnings when opening Remote Desktop (RDP) files.
Important Reminder for Secure Boot Services
It is important to note that the Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Secure Boot is a security feature in Unified Extensible Firmware Interface (UEFI) based firmware that helps ensure that only trusted software runs during a device’s boot (start) sequence.
Since Windows introduced Secure Boot support, all Windows-based devices have carried the same set of Microsoft certificates in the KEK and DB. These original certificates are nearing their expiration date, and your device is affected if it has any of the listed certificate versions. To continue running Windows and receiving regular updates for your Secure Boot configuration, you will need to update these certificates.
Simplifying technology, one step at a time.