KB5066586: Windows Server 2019 Security Update (October 2025)
A use-after-free in the Microsoft Graphics Component lets a low-privileged attacker escalate to SYSTEM — and it has been observed exploited in the wild.
An attacker who has already established any authenticated foothold on a target — a phished standard user, a low-privileged service account, a guest session — can deliver crafted graphics content that triggers the use-after-free in a higher-privileged context and escalate to SYSTEM. From SYSTEM the attacker can dump LSASS, disable defensive tooling, install persistent ransomware, or move laterally using any credential stored on the host. The "scope change" in the CVSS vector reflects that the bug crosses a privilege boundary.
The Microsoft Graphics Component is the kernel-side and user-mode plumbing Windows uses to render fonts, images, and printer data — invoked by Explorer preview panes, mail and document attachments, the print spooler, and any RDP / VDI rendering pipeline. A use-after-free flaw causes the component to free a memory block prematurely and then reuse the same pointer, letting an attacker who can deliver crafted rendering data corrupt memory and run code at a higher privilege level than they started with.
Probably yes if any of these apply:
Affected OS versions
A targeted attacker uses a phishing email to get one Windows user to open a document. The document references a malicious image; rendering it triggers the use-after-free and elevates the attacker from the user session to SYSTEM on the workstation. From there they steal cached credentials and pivot to the file server. Use-after-free EoPs in the graphics stack are particularly attractive in modern intrusion chains because the affected code paths are reachable via everyday user behaviour — opening documents, mail previews, printed content.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5066586Manual remediation steps
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
# If this returns the KB, you are already patched. If it returns nothing, continue.
Get-HotFix -Id KB5066586 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
# Trigger an immediate scan and install
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5066586)
Manual download (offline or air-gapped servers):
3. Reboot
Restart-Computer -Force
Verification
After the reboot:
# The KB must appear with an InstalledOn date
Get-HotFix -Id KB5066586
# Confirm OS build advanced
[System.Environment]::OSVersion.Version
If Get-HotFix returns nothing for KB5066586, the install did not take — re-run the update from a different channel.
Rollback
# Remove the update (last resort — only if the update breaks a workload)
wusa.exe /uninstall /kb:5066586 /quiet /norestart
# Reboot after uninstall
Cumulative updates can be removed but the server then loses every fix that update delivered, including this one. Prefer rolling forward to a newer cumulative.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.