IRONSMITHINTEL
HIGHCVSS8.8
|CVE-2026-32225|Auth: see msrc advisory|Reboot: required|Manual only

KB5082142: Windows Server 2022 Security Update (April 2026)

An attacker can bypass a Windows network security feature through a flaw in how the Windows Shell validates and enforces security policy.

Published Apr 14, 2026 · Updated May 23, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker chains this bypass with another vector — a phishing attachment, a malicious download, or an existing foothold — to evade the protection the bypassed feature provides. In practice that means getting attacker-controlled content past a check that would normally warn the user or block execution (e.g., suppressing a Mark-of-the-Web warning so a downloaded file runs without the usual prompt).

How the attack works

The Windows Shell is the component that handles file associations, shortcuts, URI handlers, and the enforcement of several security policies (Mark-of-the-Web, application control, UAC prompts). A flaw lets an attacker bypass a network security feature the Shell is supposed to enforce — typically by exploiting inconsistencies between how a security policy is defined and how the Shell interprets it.

Am I affected?Quick check

Probably yes if any of these apply:

Any Windows Server where users open files, links, or attachments
Servers relying on Windows Shell security policy enforcement (MotW, app control)

Affected OS versions

Windows Server 2022
Real-world incidentsWhat we've seen

An attacker sends a phishing email with an attachment that would normally trigger a Mark-of-the-Web "this file came from the internet" warning. Exploiting the Shell bypass, the file opens without the warning, and the user runs it believing it is safe. Shell and Mark-of-the-Web bypasses appear in CISA KEV listings regularly because they are the first step that turns a phishing email into code execution.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5082142

Manual remediation steps

Prerequisites

    1
    Local administrator on the target server
    1
    Maintenance window with reboot capacity
    1
    Current backup or snapshot you can roll back to
    1
    Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5082142 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

1
Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5082142
2
Download the MSU for Windows Server 2022 that matches your architecture (x64).
3
Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5082142
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5082142 /quiet /norestart

Notes

    1
    This entry covers Windows Server 2022 specifically (KB5082142). Other Windows Server versions have their own KB for CVE-2026-32225.
    1
    Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-32225 and NVD https://nvd.nist.gov/vuln/detail/CVE-2026-32225.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2026-32225MSRC AdvisoryNVDKBKB5082142