IRONSMITHINTEL
CRITICALCVSS8.8
|
Actively Exploited
|CISA KEV|CVE-2025-32701|Auth: multiple — see individual cves|Reboot: required|Est. 30–60 minutes including reboot|Manual only

KB5058411: Windows Server 2025 Cumulative Update (May 2025)

The May 2025 cumulative update for Windows Server 2025 (the latest LTSC) ships the same May 13 fixes as Server 2019 and 2022: five exploited zero-days plus two Remote Desktop heap-overflow RCEs. Apply on Server 2025 with the same urgency.

Published May 13, 2025 · Updated May 15, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

Same impact model as Server 2022/2019: local-to-SYSTEM EoP chains for any unprivileged code execution, plus network-reachable RCE surfaces in Scripting Engine and Remote Desktop where the prerequisites are present.

How the attack worksNo clicks needed

KB5058411 is the May 2025 cumulative for Windows Server 2025. The fixed-component coverage matches the Server 2019 / Server 2022 May 2025 rollups: four in-the-wild EoP zero-days (two in the CLFS driver, one in the WinSock AFD driver, one in DWM Core), one in-the-wild Scripting Engine memory-corruption RCE, and two critical-severity Remote Desktop heap-buffer-overflow RCEs.

Am I affected?Quick check

Probably yes if any of these apply:

All Windows Server 2025 systems
Windows Server 2025 hosts initiating outbound RDP
Internet-facing Remote Desktop Gateway servers
Running Windows Server 2025 prior to OS Build 26100.4061 (KB5058411)

Affected OS versions

Windows Server 2025
Fixed inKB5058411 (OS Build 26100.4061)
Real-world incidentsWhat we've seen

Server 2025 inherits the same threat exposure as older supported LTSC builds — Microsoft confirmed pre-disclosure exploitation of the five May 2025 zero-days across the Windows kernel-mode and user-mode components affected. Server 2025 also receives the Remote Desktop fixes per the cross-version CVE table.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5058411

Manual remediation steps

30–60 minutes including reboot

Check if KB5058411 is Installed

Get-HotFix -Id KB5058411
# No output = patch not installed

Apply via Windows Update

1
Settings → Windows Update
2
Check for updates and install
3
Restart when prompted

Apply Manually

1
Download KB5058411 from https://catalog.update.microsoft.com
2
wusa.exe windows10.0-kb5058411-x64.msu /quiet /norestart
3
Restart the server

Apply via WSUS / SCCM / Intune

Approve KB5058411.

Verify

Get-HotFix -Id KB5058411
Get-ComputerInfo | Select-Object WindowsVersion, OsBuildNumber
# OsBuildNumber must be 26100.4061 or higher
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2025-32701MSRC AdvisoryNVDKBKB5058411
CVEs in this update7 fixes · Patch-to-CVE mapping
Patch IDCVE IDVulnerability Name / TypeCVSSReference
KB5058411CVE-2025-32701Elevation of Privilege — Windows Common Log File System Driver7.8NVD ↗
KB5058411CVE-2025-32706Elevation of Privilege — Windows Common Log File System Driver7.8NVD ↗
KB5058411CVE-2025-32709Elevation of Privilege — Windows Ancillary Function Driver for WinSock7.8NVD ↗
KB5058411CVE-2025-30400Elevation of Privilege — Microsoft DWM Core Library7.8NVD ↗
KB5058411CVE-2025-30397Remote Code Execution — Microsoft Scripting Engine (memory corruption)7.5NVD ↗
KB5058411CVE-2025-29966Remote Code Execution — Windows Remote Desktop (heap buffer overflow)8.8NVD ↗
KB5058411CVE-2025-29967Remote Code Execution — Remote Desktop Gateway Service (heap overflow)8.8NVD ↗