IRONSMITHINTEL
CRITICALCVSS8.8
|
Actively Exploited
|CISA KEV|CVE-2025-32701|Auth: multiple — see individual cves|Reboot: required|Est. 30–60 minutes including reboot|Manual only

KB5058392: Windows Server 2019 Cumulative Update (May 2025)

The May 2025 cumulative update for Windows Server 2019 bundles the same critical fixes as the Server 2022 rollup: five exploited-in-the-wild zero-days (CLFS, WinSock, DWM, Scripting Engine) plus two CVSS 8.8 Remote Desktop heap-overflow RCEs. Apply on the same SLA as KB5058385.

Published May 13, 2025 · Updated May 15, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

Identical impact profile to Server 2022: any local code execution can be escalated to SYSTEM via the EoP chain, and the Scripting Engine / Remote Desktop RCEs add network-reachable code-execution surfaces where the prerequisite user interaction or outbound RDP path exists.

How the attack worksNo clicks needed

KB5058392 is the LTSC servicing-channel rollup of every Windows Server 2019 security fix for May 2025 Patch Tuesday. Same CVE coverage as KB5058385 on Server 2022: four exploited EoP zero-days (CLFS x2, WinSock AFD, DWM Core), one exploited Scripting Engine memory-corruption RCE, and two critical-severity Remote Desktop heap-buffer-overflow RCEs.

Am I affected?Quick check

Probably yes if any of these apply:

All Windows Server 2019 systems
Windows Server 2019 hosts initiating outbound RDP
Internet-facing Remote Desktop Gateway servers
Running Windows Server 2019 prior to OS Build 17763.7314 (KB5058392)

Affected OS versions

Windows Server 2019
Fixed inKB5058392 (OS Build 17763.7314)
Real-world incidentsWhat we've seen

Per Microsoft and corroborated by CrowdStrike and Tenable, all four EoP zero-days and the Scripting Engine RCE were observed in the wild before the May 13 2025 release. The CLFS driver continues to be a recurring target — three in-the-wild CLFS EoP fixes shipped in the first five months of 2025.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5058392

Manual remediation steps

30–60 minutes including reboot

Check if KB5058392 is Installed

Get-HotFix -Id KB5058392
# No output = patch not installed

Apply via Windows Update

1
Settings → Update & Security → Windows Update
2
Check for updates and install
3
Restart when prompted

Apply Manually

1
Download KB5058392 from https://catalog.update.microsoft.com
2
wusa.exe windows10.0-kb5058392-x64.msu /quiet /norestart
3
Restart the server

Apply via WSUS / SCCM

Approve KB5058392. It is classified as a Security Update for Windows Server 2019.

Verify

Get-HotFix -Id KB5058392
Get-ComputerInfo | Select-Object WindowsVersion, OsBuildNumber
# Build must be 17763.7314 or higher
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2025-32701MSRC AdvisoryNVDKBKB5058392
CVEs in this update7 fixes · Patch-to-CVE mapping
Patch IDCVE IDVulnerability Name / TypeCVSSReference
KB5058392CVE-2025-32701Elevation of Privilege — Windows Common Log File System Driver7.8NVD ↗
KB5058392CVE-2025-32706Elevation of Privilege — Windows Common Log File System Driver7.8NVD ↗
KB5058392CVE-2025-32709Elevation of Privilege — Windows Ancillary Function Driver for WinSock7.8NVD ↗
KB5058392CVE-2025-30400Elevation of Privilege — Microsoft DWM Core Library7.8NVD ↗
KB5058392CVE-2025-30397Remote Code Execution — Microsoft Scripting Engine (memory corruption)7.5NVD ↗
KB5058392CVE-2025-29966Remote Code Execution — Windows Remote Desktop (heap buffer overflow)8.8NVD ↗
KB5058392CVE-2025-29967Remote Code Execution — Remote Desktop Gateway Service (heap overflow)8.8NVD ↗