KB5063877: Windows Server 2019 Security Update (August 2025)
A single crafted image file processed by GDI+ can give an attacker SYSTEM-level control of any web service or application that parses graphics.
An attacker with no credentials can deliver a crafted metafile to any service that processes images via GDI+ and execute arbitrary code in that service's context. On a web service that runs as NETWORK SERVICE or a custom service account, that is already enough to read sensitive configuration and pivot. On a print server or document-rendering server, the affected process often runs as SYSTEM. From SYSTEM the attacker has full control of the host.
GDI+ is the long-standing Windows graphics library that virtually every Windows application uses to draw and parse images, including metafiles (a legacy graphics format from the Windows 3.x era that is still supported for compatibility). A heap-based buffer overflow in how GDI+ parses metafile records lets crafted image data overwrite adjacent heap structures and redirect execution. Any service that accepts user-supplied images — document servers, image-conversion APIs, thumbnail generators, print queues — exposes this code path to whoever can send it a file.
Probably yes if any of these apply:
Affected OS versions
A document-management web app accepts user uploads and generates preview thumbnails server-side using GDI+. An attacker uploads what looks like a normal image, the thumbnailer parses it, and the attacker now has code running on the server with whatever privileges the IIS application pool holds. They use that to read the application's database connection string, dump customer data, and stage a wider intrusion. Any server-side image processing pipeline is a vector here, including ones administrators have forgotten about.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5063877Manual remediation steps
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
# If this returns the KB, you are already patched. If it returns nothing, continue.
Get-HotFix -Id KB5063877 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
# Trigger an immediate scan and install
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5063877)
Manual download (offline or air-gapped servers):
3. Reboot
Restart-Computer -Force
Verification
After the reboot:
# The KB must appear with an InstalledOn date
Get-HotFix -Id KB5063877
# Confirm OS build advanced
[System.Environment]::OSVersion.Version
If Get-HotFix returns nothing for KB5063877, the install did not take — re-run the update from a different channel.
Rollback
# Remove the update (last resort — only if the update breaks a workload)
wusa.exe /uninstall /kb:5063877 /quiet /norestart
# Reboot after uninstall
Cumulative updates can be removed but the server then loses every fix that update delivered, including this one. Prefer rolling forward to a newer cumulative.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.