IRONSMITHINTEL
CRITICALCVSS9.0
|CVE-2024-38124|Auth: none|Reboot: required|Manual only

KB5044293: Windows Server 2016 Security Update (October 2024)

An attacker with low-privilege domain credentials and adjacent network access can impersonate a new domain controller and escalate to domain admin.

Published Oct 8, 2024 · Updated May 21, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker who has any low-privilege domain credential and can reach a domain controller on an adjacent network can predict the name format used for new DCs (e.g. when a DC is being promoted), claim that name, and pose as the new DC. Other DCs in the forest then establish trust with the attacker, allowing them to escalate to domain administrator-equivalent access.

How the attack works

Netlogon is the Windows service that handles authentication between domain members and domain controllers. A flaw in the Netlogon Remote Protocol (MS-NRPC) lets an attacker with valid low-privilege credentials predict and impersonate the name of a newly-promoted domain controller, allowing them to receive trusts and credentials intended for that DC.

Am I affected?Quick check

Probably yes if any of these apply:

Every Active Directory domain controller
Every Windows host that authenticates against a DC

Affected OS versions

Windows Server 2016
Real-world incidentsWhat we've seen

An attacker has phished a single low-privilege domain user. They time their attack to coincide with a planned DC promotion — perhaps timed by social engineering or by observing AD events from their initial foothold. They impersonate the new DC's name, receive replication and trust traffic intended for it, and within hours have domain-admin-level access to the entire forest. Netlogon EoPs in the Zerologon lineage continue to be high-impact whenever they are found.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5044293

Manual remediation steps

Prerequisites

    1
    Local administrator on the target server
    1
    Maintenance window with reboot capacity
    1
    Current backup or snapshot you can roll back to
    1
    Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5044293 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

1
Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5044293
2
Download the MSU for Windows Server 2016 that matches your architecture (x64).
3
Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5044293
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5044293 /quiet /norestart

Notes

    1
    This entry covers Windows Server 2016 specifically (KB5044293). Other Windows Server versions have their own KB for CVE-2024-38124.
    1
    Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38124 and NVD https://nvd.nist.gov/vuln/detail/CVE-2024-38124.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2024-38124MSRC AdvisoryNVDKBKB5044293