KB5058385: Windows Server 2022 Cumulative Update (May 2025)
The May 2025 cumulative update for Windows Server 2022 bundles fixes for five zero-days exploited in the wild (three privilege-escalation chains in CLFS / WinSock / DWM, one Scripting Engine memory-corruption RCE) plus two CVSS 8.8 Remote Desktop heap-overflow RCEs. Apply within the operator's standard 7-day SLA — exploitation is active.
A local attacker who already has unprivileged code execution on the host can chain any of the four EoP zero-days to gain SYSTEM. The Scripting Engine flaw and the two Remote Desktop heap overflows extend the attack surface to network-reachable code execution where the prerequisite conditions apply (a user opens a malicious page / connects out to a malicious RDP server / a vulnerable RDS gateway is reachable).
KB5058385 rolls up every security fix for Windows Server 2022 since the April 2025 cumulative update (KB5055526). Five of the bundled fixes address exploited-in-the-wild zero-days: CVE-2025-32701 and CVE-2025-32706 are use-after-free / EoP issues in the Common Log File System driver; CVE-2025-32709 is an EoP in the Ancillary Function Driver for WinSock; CVE-2025-30400 is an EoP in the Desktop Window Manager Core Library; CVE-2025-30397 is a Scripting Engine memory-corruption flaw that allows remote code execution. Two additional critical fixes address heap-based buffer overflows in Remote Desktop client (CVE-2025-29966) and Remote Desktop Gateway Service (CVE-2025-29967).
Probably yes if any of these apply:
Affected OS versions
Microsoft confirmed exploitation of all four EoP zero-days and the Scripting Engine RCE prior to the May 13 2025 release. CrowdStrike Counter Adversary Operations reported CVE-2025-32706 to Microsoft. Tenable categorised this Patch Tuesday as one of the most actively exploited in 2025 — the CLFS driver alone received its third in-the-wild EoP fix of the year (after CVE-2025-29824 in April).
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5058385Manual remediation steps
⏱ 30–60 minutes including rebootCheck if KB5058385 is Installed
Get-HotFix -Id KB5058385
# No output = patch not installed
# Or check OS build:
[System.Environment]::OSVersion.Version
# Build number 20348.3692 or higher = patched
Apply via Windows Update
Apply Manually (Disconnected Hosts)
wusa.exe windows10.0-kb5058385-x64.msu /quiet /norestart
Apply via WSUS / SCCM / Intune
Approve KB5058385 in your patch management console. The update is classified as a Security Update for Windows Server 2022.
Verify After Reboot
Get-HotFix -Id KB5058385
# InstalledOn date must appear
# Or verify OS build:
Get-ComputerInfo | Select-Object WindowsVersion, OsBuildNumber
# OsBuildNumber must be 20348.3692 or higher
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.
| Patch ID | CVE ID | Vulnerability Name / Type | CVSS | Reference |
|---|---|---|---|---|
| KB5058385 | CVE-2025-32701 | Elevation of Privilege — Windows Common Log File System Driver | 7.8 | NVD ↗ |
| KB5058385 | CVE-2025-32706 | Elevation of Privilege — Windows Common Log File System Driver | 7.8 | NVD ↗ |
| KB5058385 | CVE-2025-32709 | Elevation of Privilege — Windows Ancillary Function Driver for WinSock | 7.8 | NVD ↗ |
| KB5058385 | CVE-2025-30400 | Elevation of Privilege — Microsoft DWM Core Library | 7.8 | NVD ↗ |
| KB5058385 | CVE-2025-30397 | Remote Code Execution — Microsoft Scripting Engine (memory corruption) | 7.5 | NVD ↗ |
| KB5058385 | CVE-2025-29966 | Remote Code Execution — Windows Remote Desktop (heap buffer overflow) | 8.8 | NVD ↗ |
| KB5058385 | CVE-2025-29967 | Remote Code Execution — Remote Desktop Gateway Service (heap overflow) | 8.8 | NVD ↗ |