KB5049984: Windows Server 2022 Security Update (January 2025)
An attacker can escalate to administrator privileges on Windows Servers that still permit NTLM v1 by capturing and replaying authentication exchanges.
An attacker who can position themselves between a client and a server — through ARP spoofing on a local network, a malicious wireless network, or a compromised IoT device — can capture an NTLMv1 authentication exchange and replay it to a Windows Server that still accepts NTLMv1. The result is administrator-level access on that server without ever guessing or cracking a password. From there the attacker can dump credentials, add to the local administrators group, or pivot toward Domain Admin.
NTLM (NT LAN Manager) is the legacy challenge-response authentication protocol Windows used before Kerberos. Version 1 (NTLMv1) is decades old, cryptographically weak, and explicitly deprecated by Microsoft — but it remains enabled on many domains for backward compatibility with old appliances or applications. A flaw in how the NTLMv1 handshake is validated lets an attacker who can observe or relay traffic recover material that elevates the relayed session to administrator on the target.
Probably yes if any of these apply:
Affected OS versions
A penetration tester drops an implant on a print MFP — a device administrators rarely think of as a security boundary. The implant performs ARP poisoning on the segment, captures the next NTLMv1 authentication that crosses the wire (a backup job, a monitoring agent, a domain join), and replays it against the nearest server. Within minutes the tester has local admin on a production file server. The same chain is used by ransomware affiliates when they find NTLMv1 still enabled inside an enterprise.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5049984Manual remediation steps
Confirm whether NTLMv1 is enabled
Patching closes the implementation flaw, but you should also disable NTLMv1 — the protocol has no remaining legitimate use on a modern server.
# Read LmCompatibilityLevel. 5 = NTLMv2 only. 0–3 still accepts NTLMv1.
Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name LmCompatibilityLevel -ErrorAction SilentlyContinue
# Enforce NTLMv2-only (test in staging first)
Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\Lsa' -Name LmCompatibilityLevel -Value 5 -Type DWord
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
# If this returns the KB, you are already patched. If it returns nothing, continue.
Get-HotFix -Id KB5049984 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
# Trigger an immediate scan and install
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5049984)
Manual download (offline or air-gapped servers):
3. Reboot
Restart-Computer -Force
Verification
After the reboot:
# The KB must appear with an InstalledOn date
Get-HotFix -Id KB5049984
# Confirm OS build advanced
[System.Environment]::OSVersion.Version
If Get-HotFix returns nothing for KB5049984, the install did not take — re-run the update from a different channel.
Rollback
# Remove the update (last resort — only if the update breaks a workload)
wusa.exe /uninstall /kb:5049984 /quiet /norestart
# Reboot after uninstall
Cumulative updates can be removed but the server then loses every fix that update delivered, including this one. Prefer rolling forward to a newer cumulative.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.