CRITICALCVSS9.8

|CVE-2023-21689|Auth: none|Reboot: required|Manual only

KB5022899: Windows Server 2012 R2 Security Update (February 2023)

A crafted authentication packet sent to a Windows Network Policy Server can give an attacker SYSTEM-level code execution.

Published Feb 14, 2023 · Updated May 21, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who can reach the RADIUS / NPS port on a Windows Server running NPS with a PEAP-enabled network policy can send a crafted PEAP authentication request and execute code as SYSTEM. No valid credentials required — the flaw triggers during the pre-authentication handshake. From SYSTEM the attacker can read every cached RADIUS credential and forge authentication for any wireless or wired client the NPS serves.

How the attack works

PEAP is the authentication protocol that wraps weaker EAP methods (like MS-CHAPv2) inside a TLS tunnel — the backbone of Wi-Fi WPA2-Enterprise, 802.1X wired authentication, and many VPN deployments. The Network Policy Server (NPS) role on Windows Server terminates PEAP. A heap-based buffer overflow in how the PEAP parser handles authentication messages lets an unauthenticated attacker send a crafted PEAP packet and execute code in the NPS service context.

Am I affected?Quick check

Probably yes if any of these apply:

●Windows Servers running the Network Policy Server (NPS) role with PEAP enabled as an EAP type

●Wi-Fi WPA2-Enterprise, 802.1X wired, and PEAP-based VPN authentication backends

Affected OS versions

Windows Server 2012 R2

Real-world incidentsWhat we've seen

An attacker on the corporate wireless network — connected as a guest, or via a misconfigured guest VLAN that can reach the RADIUS server — sends a crafted PEAP packet at the NPS. The NPS service crashes, the attacker tunes the exploit, and the next attempt runs code as SYSTEM on the NPS. From there the attacker controls the authentication source for every Wi-Fi client and switch port in the building.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5022899

Manual remediation steps

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5022899 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5022899)

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5022899

Download the MSU for Windows Server 2012 R2 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5022899
[System.Environment]::OSVersion.Version

If Get-HotFix returns nothing for KB5022899, the install did not take — re-run from a different channel.

Rollback

wusa.exe /uninstall /kb:5022899 /quiet /norestart
# Reboot after uninstall

Removing a cumulative update also removes every fix it delivered — prefer rolling forward.

Notes

This entry covers Windows Server 2012 R2 specifically (KB5022899). Other Windows Server versions have their own KB for CVE-2023-21689.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21689 and NVD https://nvd.nist.gov/vuln/detail/CVE-2023-21689.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2023-21689 ↗ MSRC Advisory ↗ NVD ↗ KBKB5022899