KB5028169: Windows Server 2016 Security Update (July 2023)
A crafted packet to a Windows Server with the RRAS role enabled can give an attacker SYSTEM-level code execution with no credentials.
An attacker on the internet can send crafted packets to the RRAS endpoint and execute code as SYSTEM on the VPN / NAT server, with no credentials and no user interaction. From SYSTEM on an RRAS server the attacker controls the boundary device between the public internet and the internal corporate network — every VPN session, every routed packet, every authentication token that passes through.
The Windows Routing and Remote Access Service (RRAS) is the role that provides VPN, NAT routing, and dial-up access on Windows Server. RRAS is not installed by default, but when it is, it is almost always exposed to the internet — that is the role's entire purpose. A flaw in how RRAS handles incoming protocol traffic lets a remote attacker send crafted packets and execute code in the service context. One of three closely related RRAS RCEs (CVE-2023-35365, CVE-2023-35366, CVE-2023-35367) patched together in July 2023.
Probably yes if any of these apply:
Affected OS versions
A nation-state actor or a ransomware affiliate scans for internet-facing RRAS endpoints — easy to find because they advertise themselves through standard ports. They send the crafted packet, land SYSTEM on the VPN gateway, and from that pivot have the same network access as every legitimate VPN user — which on most networks is essentially "trusted." RRAS RCEs are the modern equivalent of "compromise the firewall."
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5028169Manual remediation steps
Decide if you need the RRAS role at all
The Routing and Remote Access Service is not installed by default. If you are not using this server as a VPN gateway, NAT router, or DirectAccess endpoint, the strongest mitigation is to remove the role entirely:
Get-WindowsFeature -Name RemoteAccess | Where-Object Installed
# To remove:
# Uninstall-WindowsFeature -Name RemoteAccess
If RRAS must stay enabled, apply the patch below.
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
Get-HotFix -Id KB5028169 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5028169)
Manual download (offline / air-gapped):
3. Reboot
Restart-Computer -Force
Verification
Get-HotFix -Id KB5028169
[System.Environment]::OSVersion.Version
Rollback
wusa.exe /uninstall /kb:5028169 /quiet /norestart
# Reboot after uninstall
Removing a cumulative update also removes every fix it delivered — prefer rolling forward.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.