KB5094125 for Windows Server 2025

KB5094125 is the cumulative update for Windows Server 2025 version 24H2. It was released on 9 June 2026 under the ‘Patch Tuesday’ program of Microsoft.

Salient points

• KB5094125 supersedes May 2026 cumulative update KB5087539 for Windows Server 2025.
• KB5094125 security update corresponds to the build 26100.32995.
• In June, a total of 104 security vulnerabilities are reported by Microsoft in the latest security report that affect Windows Server 2025.
• Three zero-day vulnerabilities affect Windows Server 2025.
• 21CRITICAL security vulnerabilities affect Windows Server 2025 in June Patch Tuesday cycle.
• The Servicing Stack Update corresponding to KB5094125 is KB5094137 (26100.32985). It is in-built in the main cumulative update. Separate installation of the SSU or Servicing Stack is not needed.

Zero-day vulnerabilities

Three zero-day vulnerability affects Windows Server 2025 24H2 edition. The zero-day vulnerabilities are either publicly disclosed or have proven instances of exploitation.

1. CVE-2026-45586 – CVSS 7.8 – Windows Collaborative Translation Framework (CTFMON) Elevation of Privilege Vulnerability
2. CVE-2026-49160 – CVSS 7.5 – HTTP.sys Denial of Service Vulnerability 
3. CVE-2026-50507 – CVSS 6.8 – Windows BitLocker Security Feature Bypass Vulnerability

Critical vulnerabilities

The June security bulletin for Windows Server 2016 reports 104 security vulnerabilities. 21 of these vulnerabilities have CRITICAL severity. These vulnerabilities are listed below.

• CVE-2026-44812
• CVE-2026-44810
• CVE-2026-44803
• CVE-2026-42987
• CVE-2026-44799
• CVE-2026-44801
• CVE-2026-42985
• CVE-2026-42992
• CVE-2026-47288
• CVE-2026-44815
• CVE-2026-48574
• CVE-2026-48563
• CVE-2026-47654
• CVE-2026-47652
• CVE-2026-47291
• CVE-2026-47289
• CVE-2026-45657
• CVE-2026-45648
• CVE-2026-45641
• CVE-2026-45607
• CVE-2026-33828

Download KB5094125

You may download the offline installer file for KB5094125 from the catalog site link shared below:

• Download KB5094125 from the Microsoft Update Catalog (2435.2 MB)

The update file is available for x64 and ARM64 deployments. Upon installation of KB5094125, the server would restart. So, do plan as a structured change.

Changelog – KB5094125

The following changes or improvements are part of KB5094125 for Windows Server 2025:

• This update addresses security issues detected and shared for Windows Server 2025 24H2 editions.
• [Secure Boot]
• [Boot manager servicing update (Known issue)] Fixed: This update addresses an issue where some devices might enter BitLocker Recovery after updating boot files on systems with certain Trusted Platform Module (TPM) validation settings, including invalid PCR7 (Platform Configuration Register 7) configurations. This might occur after installing the April 2026 security update (KB5082063).
• [File Explorer] This update improves File Explorer search, including support for Chinese text, and UTF 8–encoded files without a byte order mark (BOM). Text now displays more clearly and consistently across search results, Content view, and tooltips.
• [Networking] New! Windows Server 2025 DNS Server now supports DNS over HTTPS (DoH), enabling encrypted DNS communication between the server and clients. DoH helps improve privacy and security by protecting DNS queries from being viewed and preventing unauthorized modification of DNS responses. This feature is generally available and compatible with existing DNS infrastructure and management workflows.
  
  Note: This support applies only to server-client communication and doesn’t support encrypted DNS communication between servers.
• [Reliability] This update improves reliability during user profile load by managing system resources more efficiently.​​​​​​​​​​​​​​
• [Windows Update Deployment (known issue)] Fixed: This update addresses an issue in Windows Server 2025, where updates installed using the Windows Update Standalone Installer (WUSA) might fail with error code ERROR_BAD_PATHNAME. This issue can occur when you double-click a .msu file or run WUSA from a network share that contains multiple .msu files.

Important Reminder for Secure Boot Services

It is important to note that the Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Secure Boot is a security feature in Unified Extensible Firmware Interface​​​​​​​ (UEFI) based firmware that helps ensure that only trusted software runs during a device’s boot (start) sequence.

Since Windows introduced Secure Boot support, all Windows-based devices have carried the same set of Microsoft certificates in the KEK and DB. These original certificates are nearing their expiration date, and your device is affected if it has any of the listed certificate versions. To continue running Windows and receiving regular updates for your Secure Boot configuration, you will need to update these certificates.