CRITICALCVSS9.8

|CVE-2023-21708|Auth: none|Reboot: required|Manual only

KB5023697: Windows Server 2016 Security Update (March 2023)

A crafted RPC request to any Windows Server can give an attacker SYSTEM-level code execution, with no credentials.

Published Mar 14, 2023 · Updated May 21, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who can reach an RPC endpoint on a Windows Server — and TCP 135 plus the RPC dynamic-port range is reachable internally on virtually every server — can send a crafted RPC request that triggers the integer underflow and runs code in the target service's context. Many RPC servers run as SYSTEM, so the attacker frequently lands with the highest privileges. Mitigation by blocking ports is impractical because RPC is used by so many core Windows features.

How the attack works

Remote Procedure Call (RPC) is one of the most fundamental Windows networking subsystems — used by file sharing, the service control manager, scheduled tasks, AD replication, and dozens of other features. The RPC Runtime is the library that parses incoming RPC requests, and it runs on every Windows machine. An integer-underflow bug in the runtime causes a length calculation to wrap to a very large value, leading to memory corruption when the next operation copies data based on that length.

Am I affected?Quick check

Probably yes if any of these apply:

●Every Windows Server (RPC runs on all of them)

●Domain controllers and file servers are highest-priority because of their lateral-movement value

Affected OS versions

Windows Server 2016

Real-world incidentsWhat we've seen

A ransomware affiliate inside a corporate network — having phished a single user — discovers that every Windows Server in the environment exposes RPC on TCP 135 and the dynamic high-port range. One crafted RPC request per server, automated across the IP range, gives them SYSTEM on every unpatched host in the network in a single sweep. RPC is the ultimate "everywhere" attack surface.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5023697

Manual remediation steps

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5023697 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5023697)

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5023697

Download the MSU for Windows Server 2016 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5023697
[System.Environment]::OSVersion.Version

If Get-HotFix returns nothing for KB5023697, the install did not take — re-run from a different channel.

Rollback

wusa.exe /uninstall /kb:5023697 /quiet /norestart
# Reboot after uninstall

Removing a cumulative update also removes every fix it delivered — prefer rolling forward.

Notes

This entry covers Windows Server 2016 specifically (KB5023697). Other Windows Server versions have their own KB for CVE-2023-21708.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21708 and NVD https://nvd.nist.gov/vuln/detail/CVE-2023-21708.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2023-21708 ↗ MSRC Advisory ↗ NVD ↗ KBKB5023697