CRITICALCVSS9.8

|CVE-2024-38199|Auth: none|Reboot: required|Manual only

KB5041773: Windows Server 2016 Security Update (August 2024)

A crafted print job sent to a Windows Server's LPD service can give an attacker SYSTEM-level code execution with no credentials.

Published Aug 13, 2024 · Updated May 21, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who can reach TCP 515 on a Windows print server running the LPD service can send a crafted print-job request and execute code as SYSTEM. From SYSTEM the attacker controls the print server entirely — and because print servers often hold credentials for many users and devices, they make excellent lateral-movement pivot points.

How the attack works

The Line Printer Daemon (LPD) Service is a legacy printing service Windows can host to accept print jobs over the LPD/LPR protocol — used to bridge Windows printers to Unix systems and older networked print devices. The service is not installed by default but is widely enabled in mixed Windows/Unix print environments. A use-after-free bug in how it parses incoming requests lets a remote attacker execute code as SYSTEM.

Am I affected?Quick check

Probably yes if any of these apply:

●Windows Servers with the LPD Print Service feature enabled

●Mixed Windows/Unix print environments that bridge LPR to native Windows printing

Affected OS versions

Windows Server 2016

Real-world incidentsWhat we've seen

A red-team operator enumerating an enterprise print infrastructure finds a Windows print server with the LPD service enabled to support legacy Unix workstations that still send jobs via LPR. One crafted print request later, the operator has SYSTEM on the print server. They harvest cached credentials, find a service account with rights across the print fleet, and use that to deploy a malicious print driver across the environment.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5041773

Manual remediation steps

Decide if you need the LPD service at all

The LPD service is a legacy feature for Unix-to-Windows printing. If your environment no longer needs it, the best mitigation is to remove the feature entirely:

Get-WindowsFeature -Name Print-LPD-Service | Where-Object Installed
# To remove:
# Uninstall-WindowsFeature -Name Print-LPD-Service

If you must keep LPD running, apply the patch below.

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5041773 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5041773)

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5041773

Download the MSU for Windows Server 2016 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5041773
[System.Environment]::OSVersion.Version

If Get-HotFix returns nothing for KB5041773, the install did not take — re-run from a different channel.

Rollback

wusa.exe /uninstall /kb:5041773 /quiet /norestart
# Reboot after uninstall

Removing a cumulative update also removes every fix it delivered — prefer rolling forward.

Notes

This entry covers Windows Server 2016 specifically (KB5041773). Other Windows Server versions have their own KB for CVE-2024-38199.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38199 and NVD https://nvd.nist.gov/vuln/detail/CVE-2024-38199.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2024-38199 ↗ MSRC Advisory ↗ NVD ↗ KBKB5041773