KB5049983: Windows Server 2022 Security Update (January 2025)
An attacker on your network can take full control of a Windows Server without credentials by sending a single multicast packet, if PGM messaging is installed.
An attacker on the same network as your server — with no credentials, no user interaction, and no foothold — can send a crafted multicast packet to a server with a PGM socket open and run code in kernel context. From kernel context the attacker is effectively the operating system: they can install ransomware, create hidden administrator accounts, disable EDR, or pivot to any other system the server can reach.
The Windows Reliable Multicast Transport Driver (RMCAST) is a kernel component that implements the Pragmatic General Multicast (PGM) protocol — a way for one sender to deliver the same data reliably to many receivers at once. RMCAST is only listening when an application has opened a PGM socket on the server, and PGM support ships only with the Microsoft Message Queuing (MSMQ) feature. A use-after-free bug in how RMCAST handles incoming packets lets a network attacker corrupt kernel memory and execute their own code.
Probably yes if any of these apply:
Affected OS versions
A ransomware operator scans a flat corporate network and finds a single Windows file server that has MSMQ installed for an old internal app. One unauthenticated multicast packet later they own the server in kernel mode, deploy their loader, enumerate the domain, and within an hour they are encrypting file shares and backup volumes. The narrow installation footprint of PGM means most administrators discount this CVE — and that is exactly what makes it valuable to an attacker who finds one.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5049983Manual remediation steps
Decide if you need to patch
PGM is not on by default on a stock Windows Server. You are exposed if MSMQ is installed and an application has opened a PGM socket. Run:
# Is MSMQ installed?
Get-WindowsFeature -Name MSMQ* | Where-Object Installed
# Is anything listening on PGM (port 3056/UDP)?
Get-NetUDPEndpoint -LocalPort 3056 -ErrorAction SilentlyContinue
If both come back empty you are not exposed today, but you should still install the cumulative update on your standard patch schedule.
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
# If this returns the KB, you are already patched. If it returns nothing, continue.
Get-HotFix -Id KB5049983 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
# Trigger an immediate scan and install
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5049983)
Manual download (offline or air-gapped servers):
3. Reboot
Restart-Computer -Force
Verification
After the reboot:
# The KB must appear with an InstalledOn date
Get-HotFix -Id KB5049983
# Confirm OS build advanced
[System.Environment]::OSVersion.Version
If Get-HotFix returns nothing for KB5049983, the install did not take — re-run the update from a different channel.
Rollback
# Remove the update (last resort — only if the update breaks a workload)
wusa.exe /uninstall /kb:5049983 /quiet /norestart
# Reboot after uninstall
Cumulative updates can be removed but the server then loses every fix that update delivered, including this one. Prefer rolling forward to a newer cumulative.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.