CRITICALCVSS9.8

|CVE-2023-21692|Auth: none|Reboot: required|Manual only

KB5022842: Windows Server 2022 Security Update (February 2023)

A pre-authentication crafted PEAP packet can give an attacker SYSTEM-level code execution on any Windows Server running Network Policy Server with PEAP enabled.

Published Feb 14, 2023 · Updated May 21, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who can reach the RADIUS port of an NPS with a PEAP network policy enabled can send a crafted PEAP packet before any authentication, trigger the heap overflow, and run code as SYSTEM. From SYSTEM the attacker controls the authentication infrastructure for every wireless and wired client the NPS serves.

How the attack works

PEAP is the authentication protocol used to wrap weaker EAP methods inside a TLS tunnel — the foundation of WPA2-Enterprise Wi-Fi and 802.1X authentication. The PEAP server component on Windows runs inside the Network Policy Server (NPS) role. A heap-based buffer overflow in how it parses PEAP handshake messages lets an unauthenticated attacker corrupt memory during the pre-authentication phase and execute code as SYSTEM.

Am I affected?Quick check

Probably yes if any of these apply:

●Windows Servers running the Network Policy Server (NPS) role with PEAP enabled in any network policy

Affected OS versions

Windows Server 2022

Real-world incidentsWhat we've seen

A neighbouring tenant in a shared office building reaches the corporate RADIUS server through a misconfigured shared switch fabric. The attacker sends one crafted PEAP packet and lands SYSTEM on the NPS. From there they harvest the RADIUS shared secrets and the authentication credentials of every connected client — wireless and wired alike. PEAP RCE attacks are particularly dangerous because they target the trust anchor of network access itself.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5022842

Manual remediation steps

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5022842 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5022842)

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5022842

Download the MSU for Windows Server 2022 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5022842
[System.Environment]::OSVersion.Version

If Get-HotFix returns nothing for KB5022842, the install did not take — re-run from a different channel.

Rollback

wusa.exe /uninstall /kb:5022842 /quiet /norestart
# Reboot after uninstall

Removing a cumulative update also removes every fix it delivered — prefer rolling forward.

Notes

This entry covers Windows Server 2022 specifically (KB5022842). Other Windows Server versions have their own KB for CVE-2023-21692.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21692 and NVD https://nvd.nist.gov/vuln/detail/CVE-2023-21692.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2023-21692 ↗ MSRC Advisory ↗ NVD ↗ KBKB5022842