CRITICALCVSS9.8

|CVE-2024-38076|Auth: none|Reboot: required|Manual only

KB5040434: Windows Server 2016 Security Update (July 2024)

An attacker can take SYSTEM-level control of any Windows Server running the Remote Desktop Licensing role by sending one crafted packet to its licensing port.

Published Jul 9, 2024 · Updated May 21, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who can reach TCP 4105 on a Remote Desktop Licensing server — no credentials, no user interaction — can send a crafted packet that triggers the heap overflow and runs code as SYSTEM on the licensing server. From there the attacker has the same lateral-movement advantages as CVE-2024-38074: direct line of sight to every RDS host the licence server serves.

How the attack works

The Remote Desktop Licensing Service issues client access licences for RDS deployments and typically listens on TCP 4105. The service allocates a heap buffer of a fixed size for incoming packets but does not verify that the data being copied in fits — a classic heap-based buffer overflow. An attacker who controls the packet contents can overwrite adjacent heap structures and redirect execution.

Am I affected?Quick check

Probably yes if any of these apply:

●Windows Servers running the Remote Desktop Licensing role

●Any RDS deployment with a dedicated licensing server (Server 2016, 2019, 2022)

Affected OS versions

Windows Server 2016

Real-world incidentsWhat we've seen

A ransomware affiliate finds a Remote Desktop Licensing server exposed inside a corporate network — a common configuration because the service is supposed to be reachable from internal RDS hosts. One crafted packet to port 4105 later, they have SYSTEM on the licensing server. They harvest cached credentials, pivot to the connection broker, and from there into the RDS hosts where users' active sessions hold valuable credentials.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5040434

Manual remediation steps

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5040434 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5040434)

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5040434

Download the MSU for Windows Server 2016 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5040434
[System.Environment]::OSVersion.Version

If Get-HotFix returns nothing for KB5040434, the install did not take — re-run from a different channel.

Rollback

wusa.exe /uninstall /kb:5040434 /quiet /norestart
# Reboot after uninstall

Removing a cumulative update also removes every fix it delivered — prefer rolling forward.

Notes

This entry covers Windows Server 2016 specifically (KB5040434). Other Windows Server versions have their own KB for CVE-2024-38076.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38076 and NVD https://nvd.nist.gov/vuln/detail/CVE-2024-38076.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2024-38076 ↗ MSRC Advisory ↗ NVD ↗ KBKB5040434