CRITICALCVSS9.8

|CVE-2023-23415|Auth: none|Reboot: required|Manual only

KB5023697: Windows Server 2016 Security Update (March 2023)

A single crafted ICMP packet — sometimes called a "killer ping" — can give an attacker kernel-level code execution on a Windows Server with no credentials.

Published Mar 14, 2023 · Updated May 21, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who can reach a Windows Server with ICMP at all — and that is essentially any reachable server — can send a crafted ICMP packet and trigger a heap overflow in the kernel. The result is kernel-context code execution with no authentication, no user interaction, and no service exposure beyond ICMP. Internet-facing servers are particularly exposed because external ICMP is often allowed for diagnostics.

How the attack works

ICMP is the protocol behind utilities like ping and traceroute, and it is processed by the Windows TCP/IP stack in kernel mode — the same code path that handles every other IP packet. A heap-based buffer overflow in how the ICMP handler parses certain crafted ICMP packets lets an attacker overflow a kernel buffer and execute code in kernel context. ICMP is rarely blocked entirely because it is needed for path-MTU discovery and basic diagnostics.

Am I affected?Quick check

Probably yes if any of these apply:

●Every Windows Server reachable by IP

●Internet-facing servers are highest priority because external ICMP is widely allowed

Affected OS versions

Windows Server 2016

Real-world incidentsWhat we've seen

A scanning service finds a Windows Server with an externally-routable IP that responds to ICMP — a very common configuration. A single crafted ICMP packet later, the server's kernel is executing attacker code. Network-stack RCEs over ICMP are the closest modern equivalent to "ping of death" — a network primitive that nobody can sensibly block at the perimeter, weaponised into kernel-level remote compromise.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5023697

Manual remediation steps

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5023697 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5023697)

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5023697

Download the MSU for Windows Server 2016 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5023697
[System.Environment]::OSVersion.Version

If Get-HotFix returns nothing for KB5023697, the install did not take — re-run from a different channel.

Rollback

wusa.exe /uninstall /kb:5023697 /quiet /norestart
# Reboot after uninstall

Removing a cumulative update also removes every fix it delivered — prefer rolling forward.

Notes

This entry covers Windows Server 2016 specifically (KB5023697). Other Windows Server versions have their own KB for CVE-2023-23415.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-23415 and NVD https://nvd.nist.gov/vuln/detail/CVE-2023-23415.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2023-23415 ↗ MSRC Advisory ↗ NVD ↗ KBKB5023697