CRITICALCVSS9.8

|CVE-2022-35744|Auth: none|Reboot: required|Manual only

KB5016622: Windows Server 2016 Security Update (August 2022)

A crafted PPP packet can give an attacker SYSTEM-level code execution on any Windows Server accepting PPP connections (typically RRAS VPN endpoints).

Published Aug 9, 2022 · Updated May 21, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker on the internet can send crafted PPP packets to a Windows RRAS server and execute code as SYSTEM. From SYSTEM on a VPN concentrator the attacker controls the boundary between the public internet and the internal network — every legitimate VPN tunnel, every routed packet, every authentication credential that passes through.

How the attack works

PPP (Point-to-Point Protocol) is the data-link protocol behind PPTP and L2TP VPN connections, terminated by the Routing and Remote Access Service (RRAS) on Windows Server. A flaw in how the PPP handler parses incoming packets lets crafted protocol traffic corrupt memory and execute code in the RAS service context. Vulnerable servers are by design internet-facing — that is what they exist for.

Am I affected?Quick check

Probably yes if any of these apply:

●Windows Servers with the Routing and Remote Access Service (RRAS) role enabled

●PPTP / L2TP VPN endpoints

Affected OS versions

Windows Server 2016

Real-world incidentsWhat we've seen

A small enterprise still runs a Windows Server PPTP VPN for legacy remote access. The server is internet-facing on port 1723 because that is what the protocol requires. An attacker scans for PPTP responders, finds the endpoint, sends crafted PPP packets, and lands SYSTEM on the VPN server. From that pivot they are effectively inside the corporate network as a trusted VPN session.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5016622

Manual remediation steps

Decide if you need the RRAS role at all

RRAS is not installed by default. If this server is not a VPN gateway / NAT router / DirectAccess endpoint, remove the role:

Get-WindowsFeature -Name RemoteAccess | Where-Object Installed
# Uninstall-WindowsFeature -Name RemoteAccess

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5016622 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5016622

Download the MSU for Windows Server 2016 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5016622
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5016622 /quiet /norestart

Notes

This entry covers Windows Server 2016 specifically (KB5016622). Other Windows Server versions have their own KB for CVE-2022-35744.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-35744 and NVD https://nvd.nist.gov/vuln/detail/CVE-2022-35744.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2022-35744 ↗ MSRC Advisory ↗ NVD ↗ KBKB5016622