IRONSMITHINTEL
CRITICALCVSS9.8
|CVE-2022-26937|Auth: none|Reboot: required|Manual only

KB5014011: Windows Server 2012 R2 Security Update (May 2022)

A crafted NFS request can give an attacker SYSTEM-level code execution on any Windows Server running the NFS Server role.

Published May 10, 2022 · Updated May 21, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker on the network who can reach the NFS server (TCP/UDP 2049 plus portmapper and lockd helpers) can send a crafted request and execute code as SYSTEM. From SYSTEM the attacker controls every file share the server hosts — read, write, delete, ransomware-encrypt — and can pivot to clients that mount the shares.

How the attack works

The Windows Network File System (NFS) Server role lets Windows servers share files with Linux, Unix, and ESXi clients. A stack buffer overflow in NLM Portmap handling — GETADDR RPC response is crafted by the attacker in the NFS handler lets crafted requests corrupt server memory and execute code. The NFS Server role is not installed by default but is widely enabled in mixed-OS environments.

Am I affected?Quick check

Probably yes if any of these apply:

Windows Servers running the Server for NFS role
Mixed Windows / Linux / ESXi storage environments

Affected OS versions

Windows Server 2012 R2
Real-world incidentsWhat we've seen

An attacker triggers an NLM (Network Lock Manager) request that causes the NFS server to issue an outbound GETADDR RPC; the attacker controls the response and crafts a GETADDR reply that overflows the server's stack buffer. The result is SYSTEM-level code execution on a server that holds shared files for an entire department.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5014011

Manual remediation steps

Decide if you need the NFS Server role

The Windows NFS Server role is not installed by default. If you do not have Linux/Unix/ESXi clients using NFS, remove the role:

Get-WindowsFeature -Name FS-NFS-Service | Where-Object Installed
# Uninstall-WindowsFeature -Name FS-NFS-Service

Prerequisites

    1
    Local administrator on the target server
    1
    Maintenance window with reboot capacity
    1
    Current backup or snapshot you can roll back to
    1
    Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5014011 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

1
Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5014011
2
Download the MSU for Windows Server 2012 R2 that matches your architecture (x64).
3
Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5014011
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5014011 /quiet /norestart

Notes

    1
    This entry covers Windows Server 2012 R2 specifically (KB5014011). Other Windows Server versions have their own KB for CVE-2022-26937.
    1
    Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26937 and NVD https://nvd.nist.gov/vuln/detail/CVE-2022-26937.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2022-26937MSRC AdvisoryNVDKBKB5014011