CRITICALCVSS9.8

|CVE-2022-26809|Auth: none|Reboot: required|Manual only

KB5012647: Windows Server 2019 Security Update (April 2022)

A crafted RPC request to TCP port 445 can give an attacker SYSTEM-level code execution on any Windows host — wormable, like EternalBlue.

Published Apr 12, 2022 · Updated May 21, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who can reach TCP 445 on a Windows host — and 700,000+ hosts had this exposed to the internet at disclosure — can send a crafted RPC request and execute code as SYSTEM. The wormable classification means an exploit can spread machine-to-machine without human help. This is the closest modern Windows has come to EternalBlue / MS17-010.

How the attack works

The RPC Runtime Library (rpcrt4.dll) is loaded into every Windows process that speaks the RPC protocol — file sharing, Active Directory, the service control manager, scheduled tasks, dozens of others. A flaw in the runtime's packet parser lets an unauthenticated attacker send a crafted request to TCP 445 and execute code in the target service's context, typically SYSTEM. Because rpcrt4 is everywhere, the bug is reachable on every Windows host.

Am I affected?Quick check

Probably yes if any of these apply:

●Every Windows Server (RPC runs on all of them)

●Internet-exposed hosts with TCP 445 reachable are highest priority

Affected OS versions

Windows Server 2019

Real-world incidentsWhat we've seen

A scanner finds a Windows host with TCP 445 reachable on the internet — common for misconfigured cloud workloads and exposed lab environments. One crafted RPC packet later, the attacker has SYSTEM. Because rpcrt4 is loaded into every RPC-speaking process, the same exploit primitive works inside corporate networks against essentially every unpatched host.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5012647

Manual remediation steps

Perimeter mitigation

Microsoft advised blocking inbound TCP 445 at the perimeter firewall regardless. There is no good reason to expose 445 to the internet — block it for every host that is not deliberately a file-share endpoint.

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5012647 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5012647

Download the MSU for Windows Server 2019 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5012647
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5012647 /quiet /norestart

Notes

This entry covers Windows Server 2019 specifically (KB5012647). Other Windows Server versions have their own KB for CVE-2022-26809.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26809 and NVD https://nvd.nist.gov/vuln/detail/CVE-2022-26809.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2022-26809 ↗ MSRC Advisory ↗ NVD ↗ KBKB5012647