KB5065426 is the cumulative update for Windows Server 2025 version 24H2. It was released on 9 September 2025 under the ‘Patch Tuesday’ program of Microsoft.
Salient points
- KB5065426 supersedes August 2025 cumulative update KB5063878 for Windows Server 2025.
- It also includes all changes that are part of the preview update KB5064180 released on 19 August 2025.
- KB5065426 corresponds to build 26100.6584.
- 52 security vulnerabilities have been reported in August 2025 security bulletin for Windows Server 2025.
- 7 of these 52 vulnerabilities have CRITICAL severity level. Information about CRITICAL vulnerabilities is in the vulnerabities section below.
- A single zero-day vulnerability affects Windows Server 2025.
- The Servicing Stack Update corresponding to KB5065426 is KB5064531 (26100.5074). It is in-built in the main cumulative update. Separate installation of the SSU or Servicing Stack is not needed.
- The AI components have been updated to versions 1.2508.906.0. The AI components updated include the image search, content extraction, and semantic analysis.
Zero-day vulnerability
A single zero-day vulnerabilities affecting Windows Server 2025 24H2 edition. The zero-day vulnerabilities are either publicly disclosed or have proven instances of exploitation.
| Vulnerability | CVSS | Impact | Description |
|---|---|---|---|
| CVE-2025-55234 | 8.8 | Elevation of Privilege in Windows SMB | SMB Server might be susceptible to relay attacks depending on the configuration. An attacker who successfully exploited these vulnerabilities could perform relay attacks and make the users subject to elevation of privilege attacks. |
Critical vulnerabilities
The 7 CRITICAL vulnerabilities affecting Windows Server 2025 are shared below.
| Vulnerability | CVSS | Impact | Description |
|---|---|---|---|
| CVE-2025-53799 | 5.5 | Information disclosure | Use of uninitialized resource in Windows Imaging Component allows an unauthorized attacker to disclose information locally. |
| CVE-2025-53800 | 7.8 | Elevation of Privilege | No cwe for this issue in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally. |
| CVE-2025-54918 | 8.8 | Elevation of Privilege | Improper authentication in Windows NTLM allows an authorized attacker to elevate privileges over a network. |
| CVE-2025-55226 | 6.7 | Remote Code Execution | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Graphics Kernel allows an authorized attacker to execute code locally. |
| CVE-2025-55224 | 7.8 | Remote Code Execution | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Win32K – GRFX allows an authorized attacker to execute code locally. |
| CVE-2025-55236 | 7.3 | Remote Code Execution | Time-of-check time-of-use (toctou) race condition in Graphics Kernel allows an authorized attacker to execute code locally. |
| CVE-2025-55228 | 7.8 | Remote Code Execution | Concurrent execution using shared resource with improper synchronization (‘race condition’) in Windows Win32K – GRFX allows an authorized attacker to execute code locally. |
(RCE is Remote Code Execution)
AI Components
The following AI components for Windows Server 2025 have been updated to the latest version 1.2508.906.0:
- Image Search
- Content Extraction
- Semantic Analysis
- Settings Model
Download KB5065426
You may download the offline installer file for KB5065426 from the catalog site link shared below:
The update file is available for x64 and ARM64 deployments. Upon installation of KB5065426, the server would restart. So, do plan as a structured change.
Changelog – KB5065426
The following changes or improvements are part of KB5065426 for Windows Server 2025:
- [App compatibility (known issue)] Fixed: Addresses an issue that caused non-admin users to receive unexpected User Account Control (UAC) prompts when MSI installers perform certain custom actions. These actions might include configuration or repair operations in the foreground or background, during the initial installation of an application.
- [File server] This update enabled auditing SMB client compatibility for SMB Server signing as well as SMB Server EPA. This allows customers to assess their environment and identify any potential device or software incompatibility issues before deploying the hardening measures that are already supported by SMB Server.
- [Input]
- Fixed: This update addresses an issue that caused certain apps to stop responding input in some input method scenarios.
- Fixed: This update addresses an issue that caused some Internet Information Services (IIS) modules to disappear from IIS Manager, preventing users from configuring IIS using the IIS Manager interface.
- [Networking (known issue)] Fixed: This update addresses an issue that affects audio in apps using the Network Device Interface (NDI). Audio stutters when Display Capture is on in OBS Studio Application. This can occur after installing KB5063878.
Important Reminder for Secure Boot Services
It is important to note that the Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Secure Boot is a security feature in Unified Extensible Firmware Interface (UEFI) based firmware that helps ensure that only trusted software runs during a device’s boot (start) sequence.
Since Windows introduced Secure Boot support, all Windows-based devices have carried the same set of Microsoft certificates in the KEK and DB. These original certificates are nearing their expiration date, and your device is affected if it has any of the listed certificate versions. To continue running Windows and receiving regular updates for your Secure Boot configuration, you will need to update these certificates.
Simplifying technology, one step at a time.