KB5062597: Windows Server 2012 R2 Security Update (July 2025)
A single crafted authentication packet can give an attacker SYSTEM-level code execution on any internet-reachable Windows Server, with no credentials and no user interaction.
An attacker who can reach any authenticating service on your server — SMB on 445, RDP on 3389, HTTP(S) on 80/443, or anything else that negotiates Windows authentication — can send one crafted NEGOEX packet and execute code inside LSASS. LSASS holds plaintext-equivalent credentials and runs as SYSTEM, so the attacker walks away with both SYSTEM-level code execution and the cached credentials of every recently-logged-in user. Microsoft characterised the flaw as wormable: code on one compromised server can target the next without human help.
SPNEGO (Simple and Protected GSS-API Negotiation) is the negotiation layer Windows uses to pick an authentication protocol — Kerberos, NTLM, or something else — at the start of a connection. NEGOEX is its extended-negotiation mechanism, and it runs inside LSASS, the process that holds Windows credentials. A heap-based buffer overflow in how NEGOEX parses authentication messages lets a single crafted packet corrupt LSASS memory and execute code as SYSTEM. Because SPNEGO is invoked at the start of authenticated sessions on SMB, RDP, HTTP and other protocols, the vulnerable code path is reachable on virtually every Windows Server.
Probably yes if any of these apply:
Affected OS versions
A scanner finds a Windows Server with SMB exposed to the internet. Within seconds an automated exploit sends a single NEGOEX packet, lands code inside LSASS, harvests cached domain-admin tickets, and uses them to authenticate to the next domain member — which is also vulnerable, also gets owned, also harvests credentials. This is the EternalBlue / WannaCry pattern: one unauthenticated pre-auth bug in a service Windows turns on by default, multiplied by automation. Patch before the proof-of-concept becomes a worm.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5062597Manual remediation steps
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
# If this returns the KB, you are already patched. If it returns nothing, continue.
Get-HotFix -Id KB5062597 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
# Trigger an immediate scan and install
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5062597)
Manual download (offline or air-gapped servers):
3. Reboot
Restart-Computer -Force
Verification
After the reboot:
# The KB must appear with an InstalledOn date
Get-HotFix -Id KB5062597
# Confirm OS build advanced
[System.Environment]::OSVersion.Version
If Get-HotFix returns nothing for KB5062597, the install did not take — re-run the update from a different channel.
Rollback
# Remove the update (last resort — only if the update breaks a workload)
wusa.exe /uninstall /kb:5062597 /quiet /norestart
# Reboot after uninstall
Cumulative updates can be removed but the server then loses every fix that update delivered, including this one. Prefer rolling forward to a newer cumulative.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.