IRONSMITHINTEL
CRITICALCVSS9.8
|CVE-2025-60724|Auth: see msrc advisory|Reboot: required|Manual only

KB5068864: Windows Server 2016 Security Update (November 2025)

A crafted EMF/WMF metafile processed by GDI+ can give an attacker SYSTEM-level code execution on a Windows Server, reachable unauthenticated through the Print Spooler.

Published Nov 11, 2025 · Updated May 23, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker who can reach a service that parses metafiles via GDI+ — the Print Spooler over RPC being the headline path — can send a crafted EMF/WMF record that overflows the heap and executes code. On the Print Spooler the process runs as SYSTEM, so the attacker gains full host control with no credentials and no user interaction. Any server-side image/document processing pipeline that uses gdiplus.dll is also a vector.

How the attack works

GDI+ (gdiplus.dll) is the Windows graphics library that parses image and metafile formats for virtually every Windows application. A heap-based buffer overflow occurs when GDI+ fails to validate record-size fields while parsing Enhanced Metafile (EMF) and Windows Metafile (WMF) structures — sequential variable-length records whose headers declare their own size. Crucially, system services that process graphics metadata over the network — most notably the Windows Print Spooler (spoolsv.exe) — pass attacker-supplied metafiles straight to gdiplus.dll, exposing the flaw to unauthenticated network requests.

Am I affected?Quick check

Probably yes if any of these apply:

Windows print servers (Print Spooler parses metafiles via GDI+ over RPC)
Any server doing server-side image/document rendering with gdiplus.dll

Affected OS versions

Windows Server 2016
Real-world incidentsWhat we've seen

An attacker reaches a Windows print server's spooler RPC endpoint inside a corporate network, sends a crafted metafile, and lands SYSTEM on the print server — a host that typically holds credentials for many users and printers. From that pivot they harvest cached credentials and push a malicious driver fleet-wide. GDI+ metafile parsing has a long history as an RCE vector (MS15-035, MS16-055), and this is the same class of bug reachable unauthenticated.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5068864

Manual remediation steps

Prerequisites

    1
    Local administrator on the target server
    1
    Maintenance window with reboot capacity
    1
    Current backup or snapshot you can roll back to
    1
    Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5068864 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

1
Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5068864
2
Download the MSU for Windows Server 2016 that matches your architecture (x64).
3
Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5068864
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5068864 /quiet /norestart

Notes

    1
    This entry covers Windows Server 2016 specifically (KB5068864). Other Windows Server versions have their own KB for CVE-2025-60724.
    1
    Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-60724 and NVD https://nvd.nist.gov/vuln/detail/CVE-2025-60724.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2025-60724MSRC AdvisoryNVDKBKB5068864