IRONSMITHINTEL
HIGHCVSS7.8
|CISA KEV|CVE-2025-32706|Auth: see msrc advisory|Reboot: required|Manual only

KB5058383: Windows Server 2016 Security Update (May 2025)

A local attacker can escalate to SYSTEM by exploiting a heap overflow in the Windows CLFS driver — confirmed exploited in the wild as a zero-day.

Published May 13, 2025 · Updated May 23, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker who already has any code execution on the host — a phished standard user, a low-privileged service account — can craft a malicious CLFS log file, trigger the kernel heap overflow, and escalate to SYSTEM. From SYSTEM they dump LSASS for credentials, disable security tooling, and deploy ransomware. This is the classic "second stage" of an intrusion: phish to land, CLFS to become SYSTEM.

How the attack works

The Common Log File System (CLFS) driver (clfs.sys) is a kernel component that manages transaction logs for applications and the OS; it runs on every Windows Server and cannot be disabled. An improper-input-validation flaw lets an attacker craft or modify a CLFS log file to trigger a heap-based buffer overflow in kernel memory. CLFS has been a recurring privilege-escalation target — this is one of several clfs.sys zero-days exploited in 2024-2025.

Am I affected?Quick check

Probably yes if any of these apply:

Every Windows Server (clfs.sys runs on all of them, cannot be disabled)
Highest priority: any host where an attacker may already have a user-level foothold

Affected OS versions

Windows Server 2016
Real-world incidentsWhat we've seen

A ransomware affiliate phishes an employee and lands code as a normal user. They drop a crafted CLFS log file, trigger CVE-2025-32706, and become SYSTEM on the workstation — then pivot to the file server and domain controller. Microsoft and CISA confirmed this exact pattern in the wild before the May 2025 patch; CLFS zero-days are a staple of ransomware operators precisely because the driver is everywhere and the escalation is reliable.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5058383

Manual remediation steps

Prerequisites

    1
    Local administrator on the target server
    1
    Maintenance window with reboot capacity
    1
    Current backup or snapshot you can roll back to
    1
    Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5058383 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

1
Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5058383
2
Download the MSU for Windows Server 2016 that matches your architecture (x64).
3
Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5058383
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5058383 /quiet /norestart

Notes

    1
    This entry covers Windows Server 2016 specifically (KB5058383). Other Windows Server versions have their own KB for CVE-2025-32706.
    1
    Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32706 and NVD https://nvd.nist.gov/vuln/detail/CVE-2025-32706.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2025-32706MSRC AdvisoryNVDKBKB5058383