IRONSMITHINTEL
HIGHCVSS7.8
|CISA KEV|CVE-2025-32709|Auth: see msrc advisory|Reboot: required|Manual only

KB5058383: Windows Server 2016 Security Update (May 2025)

A local attacker can escalate to SYSTEM by exploiting a use-after-free in the Windows WinSock kernel driver — confirmed exploited in the wild as a zero-day.

Published May 13, 2025 · Updated May 23, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker with basic user privileges on the host — no admin rights needed — can issue crafted socket IOCTLs to trigger the use-after-free and escalate to SYSTEM. Because AFD is reachable from any unprivileged process, this is a reliable local-to-SYSTEM primitive that attackers chain after initial access (phishing, malware) to deploy ransomware or harvest credentials.

How the attack works

AFD.sys (the Ancillary Function Driver for WinSock) is the kernel-mode driver that backs Windows socket operations — it runs on every Windows host and is reachable from any process that uses sockets. A use-after-free flaw is triggered via crafted IOCTL calls or malformed WinSock interactions: a race condition in how AFD handles socket-descriptor metadata leaves stale pointers to reallocated buffers, which an attacker manipulates to corrupt kernel memory.

Am I affected?Quick check

Probably yes if any of these apply:

Every Windows Server (afd.sys backs all socket operations)
Highest priority: any host where an attacker may already have a user-level foothold

Affected OS versions

Windows Server 2016
Real-world incidentsWhat we've seen

Microsoft observed targeted attacks in healthcare and government in 2025 where the attacker, having gained a basic user foothold through phishing, used CVE-2025-32709 to escalate to SYSTEM via afd.sys, then deployed credential harvesters and ransomware. WinSock-driver EoPs are prized by intrusion operators because every process can reach the socket layer — the escalation works from the most constrained foothold.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5058383

Manual remediation steps

Prerequisites

    1
    Local administrator on the target server
    1
    Maintenance window with reboot capacity
    1
    Current backup or snapshot you can roll back to
    1
    Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5058383 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

1
Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5058383
2
Download the MSU for Windows Server 2016 that matches your architecture (x64).
3
Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5058383
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5058383 /quiet /norestart

Notes

    1
    This entry covers Windows Server 2016 specifically (KB5058383). Other Windows Server versions have their own KB for CVE-2025-32709.
    1
    Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-32709 and NVD https://nvd.nist.gov/vuln/detail/CVE-2025-32709.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2025-32709MSRC AdvisoryNVDKBKB5058383