KB5037763: Windows Server 2019 / 2022 / 2016 Security Update (May 2024)
Microsoft DWM Core Library contains a privilege escalation vulnerability that allows an attacker to gain SYSTEM privileges.
A local attacker, with a low-privilege account, can achieve full data confidentiality loss, arbitrary modification of data, complete denial of service or system unavailability. CISA has confirmed use of this vulnerability in known ransomware campaigns — treat as high priority for remediation. Federal agencies are required to remediate by 2024-06-04 under CISA BOD 22-01.
This is a Heap-based Buffer Overflow (CWE-122) vulnerability in Microsoft DWM Core Library. Windows DWM Core Library Elevation of Privilege Vulnerability Exploitation requires local access, low attack complexity, a low-privilege authenticated account, and no user interaction required.
Probably yes if any of these apply:
Affected OS versions
CISA confirms this CVE has been used in known ransomware campaigns. Added to the KEV catalog on 2024-05-14; federal agencies required to remediate by 2024-06-04.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5037763Manual remediation steps
Apply the Microsoft Security Update
Microsoft has released an official security update that fixes this vulnerability.
Required KB Updates
Supersedes: KB5036892, KB5036893, KB5036894, KB5036896, KB5036899, KB5036909, KB5036925
Affected Products
Fixed Build Numbers
Installation Methods
Windows Update (recommended)
Microsoft Update Catalog (manual download)
.msu installer with administrator privilegesWSUS / SCCM / Intune
Approve KB5037763 for the affected products in your update management console.
Microsoft Download Center Links
Verification
Confirm the update is installed:
Get-HotFix | Where-Object { $_.HotFixID -in @('KB5037763','KB5037765','KB5037768','KB5037770','KB5037771','KB5037782','KB5037788','KB5037848') }
References
Discovery Credit
Vlad Stolyarov and Benoit Sevens of Google Threat Analysis Group Bryce Abdo and Adam Brunner of Google Mandiant, Quan Jin with DBAPPSecurity WeBin Lab Guoxian Zhong with DBAPPSecurity WeBin Lab, Mert Degirmenci and Boris Larin with Kaspersky
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
Related vulnerabilities
KB5000871: Windows Server 2016 / 2019 Security Update (May 2026)
Microsoft Exchange Server
CVE-2021-26855
MEDIUM6.5Microsoft Defender for Identity Improper Authentication — Spoofing (CVE-2025-26685)
Microsoft Defender for Identity
CVE-2025-26685
HIGHIIS Security Updates Require Both Windows Update and Manual Configuration Review
Microsoft IIS