KB5025229: Windows Server 2022 Cumulative Update (April 2023)
The April 2023 Patch Tuesday cumulative update for Windows Server 2022 addresses 97 security vulnerabilities including a zero-day in the Windows Common Log File System driver (CVE-2023-28252) that was being actively exploited by ransomware groups at time of release.
CVE-2023-28252 allows any user with local code execution to escalate to SYSTEM on unpatched systems. Ransomware operators used this as part of their post-exploitation chain after gaining initial access via phishing or exposed services — it provides the privilege level needed to disable AV, encrypt files, and spread laterally.
KB5025229 patches 97 CVEs in April 2023, including CVE-2023-28252, a privilege escalation in the Windows Common Log File System (CLFS) driver that was actively exploited by the Nokoyawa ransomware group. The CLFS driver is present on all Windows systems and can be exploited by any local user to gain SYSTEM privileges.
Probably yes if any of these apply:
Affected OS versions
The Nokoyawa ransomware group exploited CVE-2023-28252 as a zero-day prior to the April 2023 patch. Kaspersky observed multiple incidents where the CLFS driver exploit was used to escalate from a standard user session to SYSTEM, bypassing endpoint security tools that blocked elevated process creation. Microsoft and CISA confirmed active exploitation on Patch Tuesday itself.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5025229Manual remediation steps
⏱ 30–60 minutes including rebootCheck if KB5025229 is Installed
Get-HotFix -Id KB5025229
Apply
Verify
Get-HotFix -Id KB5025229
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
References