IRONSMITHINTEL
CRITICALCVSS9.8
|CVE-2023-36434|Auth: none|Reboot: required|Manual only

KB5031362: Windows Server 2016 Security Update (October 2023)

A flaw in IIS's authentication-attempt restriction lets an attacker with low-level server access elevate to SYSTEM-level control.

Published Oct 10, 2023 · Updated May 21, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker who can reach an internet-facing or internal IIS server can exploit the authentication-restriction weakness to gain SYSTEM-level control of the web server without prior credentials. From SYSTEM on an IIS host the attacker reads the web application's configuration (often including database connection strings), modifies content served to legitimate users, and pivots to back-end systems the IIS host has access to.

How the attack works

Internet Information Services (IIS) is Microsoft's web server, used to host hundreds of thousands of business applications, intranets, and exposed web services on Windows Server. A flaw classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts) in how IIS handles authentication lets an attacker bypass the rate-limiting and brute-force protections, then leverage that weakness to elevate to SYSTEM.

Am I affected?Quick check

Probably yes if any of these apply:

Windows Servers running the IIS web server role
Particularly: internet-facing IIS hosts and IIS hosts in DMZ networks

Affected OS versions

Windows Server 2016
Real-world incidentsWhat we've seen

An e-commerce site runs on a Windows Server with IIS exposed to the internet. An attacker exploits the authentication-restriction bypass against the management surface or an authenticated endpoint, elevates to SYSTEM, and from there reads the database credentials in web.config. Within hours they have exfiltrated the customer database and staged a credential-stuffing attack against every reused password. IIS EoPs are dangerous out of proportion to their CVE label because so many Windows servers run IIS.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5031362

Manual remediation steps

Prerequisites

    1
    Local administrator on the target server
    1
    Maintenance window with reboot capacity
    1
    Current backup or snapshot you can roll back to
    1
    Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5031362 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5031362)

Manual download (offline / air-gapped):

1
Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5031362
2
Download the MSU for Windows Server 2016 that matches your architecture (x64).
3
Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5031362
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5031362 /quiet /norestart
# Reboot after uninstall

Removing a cumulative update also removes every fix it delivered — prefer rolling forward.

Notes

    1
    This entry covers Windows Server 2016 specifically (KB5031362). Other Windows Server versions have their own KB for CVE-2023-36434.
    1
    Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36434 and NVD https://nvd.nist.gov/vuln/detail/CVE-2023-36434.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2023-36434MSRC AdvisoryNVDKBKB5031362