Microsoft Windows Server 2016 Vulnerabilities
Fix Microsoft Windows Server 2016 on Windows Server
18 entries · Windows Server · Sorted by severity
Showing 1–18 of 18 results
| Severity | Title | CVSS | |||||
|---|---|---|---|---|---|---|---|
CRITICAL | KB4512517: Windows Server 2016 Security Update (August 2019)Windows Remote Desktop Services (RDP) — Wormable Pre-Auth RCE ("DejaBlue")Microsoft Windows Server 2016 | CVE-2019-1182 | 9.8 | No confirmed in-the-wild worm at time of writing, but the same protocol layer was the target of BlueKeep (CVE-2019-0708). PoC research has been published. | Reboot Required | Script | |
CRITICAL | KB4534271: Windows Server 2016 Security Update (January 2020)Windows Remote Desktop Gateway ("BlueGate") — Companion UDP RCE on Port 3391Microsoft Windows Server 2016 | CVE-2020-0610 | 9.8 | Companion to CVE-2020-0609 — patched together. PoCs available. ~15,500 internet-exposed RD Gateways at disclosure. | Reboot Required | Script | |
CRITICAL | KB4534271: Windows Server 2016 Security Update (January 2020)Windows Remote Desktop Gateway ("BlueGate") — Pre-Auth UDP RCE on Port 3391Microsoft Windows Server 2016 | CVE-2020-0609 | 9.8 | Public proof-of-concept code (DoS + RCE) from multiple researchers; working RCE PoC has been demonstrated. ~15,500 RD Gateway servers were internet-exposed on UDP 3391 at disclosure. | Reboot Required | Script | |
CRITICAL | KB5003197: Windows Server 2016 Security Update (May 2021)Hyper-V vmswitch.sys — Guest-to-Host RCE via Crafted RNDIS over VMBusMicrosoft Windows Server 2016 | CVE-2021-28476 | 9.9 | Public proof-of-concept exists (0vercl0k/CVE-2021-28476 on GitHub). Reported as affecting Azure infrastructure prior to patch. | Reboot Required | Script | |
CRITICAL | KB5062560: Windows Server 2016 Security Update (July 2025)SPNEGO NEGOEX Heap-Based Buffer Overflow — Wormable Unauthenticated RCE in LSASSMicrosoft Windows Server 2016 | CVE-2025-47981 | 9.8 | Microsoft assessed exploitation as "more likely" and described the flaw as wormable. Prioritise internet-facing systems and domain controllers. | Reboot Required | Script | |
CRITICAL | KB5087537: Windows Server 2016 Security Update (May 2026)Windows Netlogon Stack-Based Buffer Overflow — Unauthenticated RCE on Domain ControllersMicrosoft Windows Server 2016 | CVE-2026-41089 | 9.8 | No confirmed in-the-wild exploitation at time of writing. Patch every domain controller before any other system. | Reboot Required | Script | |
CRITICAL | KB5046612: Windows Server 2016 Security Update (November 2024)Windows Kerberos KDC Proxy (KPSSVC) — Unauthenticated RCE via Integer OverflowMicrosoft Windows Server 2016 | CVE-2024-43639 | 9.8 | No confirmed in-the-wild exploitation at time of writing. ZDI published a technical analysis in March 2025. | Reboot Required | Script | |
CRITICAL | KB4512517: Windows Server 2016 Security Update (August 2019)Windows Remote Desktop Services (RDP) — Wormable Pre-Auth RCE ("DejaBlue")Microsoft Windows Server 2016 | CVE-2019-1181 | 9.8 | No confirmed in-the-wild worm at time of writing, but the same protocol layer was the target of BlueKeep (CVE-2019-0708). PoC research has been published. | Reboot Required | Script | |
CRITICAL | KB5025228: Windows Server 2016 Security Update (April 2023)Microsoft Message Queuing (MSMQ) "QueueJumper" — Unauthenticated RCEMicrosoft Windows Server 2016 | CVE-2023-21554 | 9.8 | Public technical analysis and proof-of-concept widely available since April 2023 (Check Point Research, IBM X-Force, Bitdefender). Over 360,000 internet-exposed MSMQ services were estimated at risk at disclosure. | Reboot Required | Script | |
CRITICAL | KB5040434: Windows Server 2016 Security Update (July 2024)Remote Desktop Licensing Service — Unauthenticated Integer-Underflow RCEMicrosoft Windows Server 2016 | CVE-2024-38074 | 9.8 | Public technical analysis available ("MadLicense" research series). No confirmed in-the-wild exploitation at time of writing. | Reboot Required | Script | |
CRITICAL | KB5040434: Windows Server 2016 Security Update (July 2024)Remote Desktop Licensing Service — Heap-Based Buffer Overflow RCEMicrosoft Windows Server 2016 | CVE-2024-38076 | 9.8 | Companion to CVE-2024-38074 in the "MadLicense" research series. No confirmed in-the-wild exploitation at time of writing. | Reboot Required | Script | |
CRITICAL | KB5041773: Windows Server 2016 Security Update (August 2024)Windows Line Printer Daemon (LPD) Service — Use-After-Free RCEMicrosoft Windows Server 2016 | CVE-2024-38199 | 9.8 | Microsoft assessed exploitation as "more likely". Public proof-of-concept research has been published. | Reboot Required | Script | |
CRITICAL | KB5073722: Windows Server 2016 Security Update (July 2025)SQLite (winsqlite3.dll) Memory Corruption — RCE via Crafted SQL AggregateMicrosoft Windows Server 2016 | CVE-2025-6965 | 9.8 | Discovered by Google's "Big Sleep" AI-assisted vulnerability research. Public proof-of-concept exists for upstream SQLite; in-the-wild exploitation not yet reported. | Reboot Required | Script | |
CRITICAL | KB5063871: Windows Server 2016 Security Update (August 2025)Windows GDI+ Heap-Based Buffer Overflow — Unauthenticated RCE via Crafted MetafileMicrosoft Windows Server 2016 | CVE-2025-53766 | 9.8 | No confirmed in-the-wild exploitation at time of writing. Public technical analysis from Check Point research is available. | Reboot Required | Script | |
CRITICAL | KB5082198: Windows Server 2016 Security Update (April 2026)Windows IKE Service Extensions Double-Free — Unauthenticated RCE via Crafted IKEv2 PacketMicrosoft Windows Server 2016 | CVE-2026-33824 | 9.8 | No public proof-of-concept or in-the-wild exploitation at time of writing. Microsoft assessed as critical severity. | Reboot Required | Script | |
CRITICAL | KB5049993: Windows Server 2016 Security Update (January 2025)Windows Reliable Multicast Transport Driver (RMCAST) Use-After-Free — Unauthenticated Network RCEMicrosoft Windows Server 2016 | CVE-2025-21307 | 9.8 | Microsoft assessed exploitation as "more likely". No public proof-of-concept at time of writing. | Reboot Required | Script | |
CRITICAL | KB5041773: Windows Server 2016 Security Update (August 2024)Windows Reliable Multicast Transport Driver (RMCAST) — Use-After-Free RCEMicrosoft Windows Server 2016 | CVE-2024-38140 | 9.8 | No confirmed in-the-wild exploitation at time of writing. Closely related to CVE-2025-21307 in the same component. | Reboot Required | Script | |
CRITICAL | KB5012596: Windows Server 2016 Security Update (April 2022)Windows RPC Runtime Library — Wormable Unauthenticated RCE on TCP 445Microsoft Windows Server 2016 | CVE-2022-26809 | 9.8 | Public proof-of-concept code available (websecnl/CVE-2022-26809 on GitHub). Microsoft classified the vulnerability as wormable. Shodan counted 700,000+ internet-exposed hosts at disclosure. | Reboot Required | Script |