KB5033910: Windows Server 2016 Security Update (January 2024)

A logic flaw in .NET's X.509 chain-building APIs returns an incorrect failure-reason code that some applications treat as success.

Published Jan 9, 2024 · Updated May 21, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who can present a malformed certificate to a .NET / PowerShell / Visual Studio application that does its own chain-building logic — typically a custom authentication or signature-verification flow, common in internal LOB applications — can be authenticated despite the failed chain-build. The result is authentication bypass: the attacker gets in as a legitimate user without a valid certificate.

How the attack works

.NET Framework, .NET (Core), PowerShell, and Visual Studio 2022 ship the X.509 chain-building APIs that applications call to validate TLS certificates and code-signing certificates. A logic flaw causes the framework to correctly report that chain-building failed for a certificate with a malformed signature — but it returns an incorrect reason code. Applications that use the reason code (rather than the boolean failure result) to make trust decisions may treat the failure as success and accept the untrusted certificate.

Am I affected?Quick check

Probably yes if any of these apply:

●Servers running .NET / .NET Framework / PowerShell / Visual Studio applications that perform their own X.509 chain-build validation

Affected OS versions

Windows Server 2016

Real-world incidentsWhat we've seen

A custom internal application uses .NET's chain-building API to verify client certificates. The application checks the returned reason code rather than the boolean overall-success — a common but subtly wrong pattern. An attacker presents an untrusted certificate with a malformed signature; the framework reports failure-with-wrong-reason, the application treats it as success, and the attacker authenticates. The bug is in the framework but the impact is application-specific.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5033910

Manual remediation steps

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5033910 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5033910

Download the MSU for Windows Server 2016 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5033910
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5033910 /quiet /norestart

Notes

This entry covers Windows Server 2016 specifically (KB5033910). Other Windows Server versions have their own KB for CVE-2024-0057.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-0057 and NVD https://nvd.nist.gov/vuln/detail/CVE-2024-0057.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2024-0057 ↗ MSRC Advisory ↗ NVD ↗ KBKB5033910