KB5041773: Windows Server 2016 Security Update (August 2024)
An attacker on your network can take SYSTEM-level control of a Windows Server without credentials by sending a single multicast packet, if PGM messaging is in use.
An attacker on the same network as a server with MSMQ's PGM transport in use — with no credentials and no user interaction — can send a crafted multicast packet and execute code in kernel context. From kernel context the attacker is effectively the operating system: install ransomware, disable defensive tooling, create hidden accounts, pivot anywhere the host can reach.
The Windows Reliable Multicast Transport Driver (RMCAST, rmcast.sys) is a kernel-mode component that implements the Pragmatic General Multicast (PGM) protocol — used by Microsoft Message Queuing (MSMQ) for reliable multicast delivery. A use-after-free bug in how RMCAST handles incoming packets lets a network attacker corrupt kernel memory and execute code. RMCAST is only listening when an application has opened a PGM socket; PGM support ships with MSMQ.
Probably yes if any of these apply:
Affected OS versions
A ransomware operator finds a Windows file server inside a corporate network that has MSMQ installed for a legacy line-of-business app. One unauthenticated multicast packet triggers the kernel use-after-free and the attacker is in kernel mode on the server. The narrow installation footprint of PGM means most administrators dismiss this CVE — which is precisely what makes it valuable to the attacker who scans for it.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5041773Manual remediation steps
Decide if you need to patch
PGM is not on by default on a stock Windows Server. You are exposed if MSMQ is installed and an application has opened a PGM socket. Run:
Get-WindowsFeature -Name MSMQ* | Where-Object Installed
Get-NetUDPEndpoint -LocalPort 3056 -ErrorAction SilentlyContinue
If both come back empty you are not exposed today, but install the cumulative update on your standard patch schedule.
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
Get-HotFix -Id KB5041773 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5041773)
Manual download (offline / air-gapped):
3. Reboot
Restart-Computer -Force
Verification
Get-HotFix -Id KB5041773
[System.Environment]::OSVersion.Version
If Get-HotFix returns nothing for KB5041773, the install did not take — re-run from a different channel.
Rollback
wusa.exe /uninstall /kb:5041773 /quiet /norestart
# Reboot after uninstall
Removing a cumulative update also removes every fix it delivered — prefer rolling forward.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.