IRONSMITHINTEL
CRITICALCVSS9.8
|CVE-2023-36028|Auth: none|Reboot: required|Manual only

KB5032197: Windows Server 2016 Security Update (November 2023)

A crafted authentication packet to a Windows Network Policy Server can give an attacker SYSTEM-level code execution.

Published Nov 14, 2023 · Updated May 21, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker who can reach the RADIUS endpoint of an NPS with a PEAP network policy enabled can send a crafted PEAP packet during the pre-authentication phase, trigger the heap overflow, and run code as SYSTEM. From SYSTEM the attacker controls the authentication source for every wireless and wired client the NPS serves.

How the attack works

PEAP is the authentication protocol used by WPA2-Enterprise Wi-Fi, 802.1X wired authentication, and many enterprise VPNs. The Windows Network Policy Server (NPS) role terminates PEAP for these workflows. A heap-based buffer overflow in how NPS parses PEAP authentication messages lets an unauthenticated attacker send a crafted PEAP packet and execute code in the NPS service context.

Am I affected?Quick check

Probably yes if any of these apply:

Windows Servers running the Network Policy Server (NPS) role with PEAP-enabled network policies

Affected OS versions

Windows Server 2016
Real-world incidentsWhat we've seen

An attacker on the corporate guest Wi-Fi reaches the internal RADIUS server through a misconfigured firewall exception. The attacker sends a crafted PEAP packet, the NPS service runs the attacker's code, and they now own the authentication infrastructure for the entire building — including the credentials of every 802.1X-authenticated workstation that connects. PEAP CVEs are uniquely dangerous because they target the trust anchor of network access.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5032197

Manual remediation steps

Prerequisites

    1
    Local administrator on the target server
    1
    Maintenance window with reboot capacity
    1
    Current backup or snapshot you can roll back to
    1
    Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5032197 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5032197)

Manual download (offline / air-gapped):

1
Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5032197
2
Download the MSU for Windows Server 2016 that matches your architecture (x64).
3
Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5032197
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5032197 /quiet /norestart
# Reboot after uninstall

Removing a cumulative update also removes every fix it delivered — prefer rolling forward.

Notes

    1
    This entry covers Windows Server 2016 specifically (KB5032197). Other Windows Server versions have their own KB for CVE-2023-36028.
    1
    Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36028 and NVD https://nvd.nist.gov/vuln/detail/CVE-2023-36028.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2023-36028MSRC AdvisoryNVDKBKB5032197