HIGHCVSS8.8

KB5082126: Windows Server 2025 Cumulative Update (May 2026)

The May 2026 Patch Tuesday cumulative update for Windows Server 2025 fixes three security vulnerabilities including a CVSS 8.8 remote code execution in the Remote Desktop Client and a CVSS 7.5 unauthenticated RCE in the Windows TCP/IP stack. Apply within 72 hours.

Published May 12, 2026 · Updated May 10, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker controlling a malicious RDP server can execute code on any Windows Server 2025 host that initiates an outbound RDP session to it (jump boxes, admin workstations, automation hosts). Separately, the unauthenticated TCP/IP RCE puts internet-facing or DMZ-segmented hosts at risk without any user interaction.

How the attack works

KB5082126 bundles all security fixes for Windows Server 2025 since the April 2026 cumulative update. The most severe issue, CVE-2026-32157, allows a malicious RDP server to execute arbitrary code on a connecting client. CVE-2026-33827 is a network-stack RCE in the Windows TCP/IP driver, exploitable without authentication wherever the affected code path is reachable. CVE-2026-32225 is a Windows Shell security feature bypass typically chained with another vulnerability. Cumulative updates must be applied as a complete package.

Am I affected?Quick check

Probably yes if any of these apply:

●Windows Server 2025 hosts initiating outbound RDP

●Internet-facing or DMZ Windows Server 2025 hosts

●All Windows Server 2025 systems

●Running Windows Server 2025 prior to KB5082126

Affected OS versions

Windows Server 2025

Fixed inKB5082126

Real-world incidentsWhat we've seen

Internal red team exercises following the May 2026 disclosure demonstrated the RDP client RCE as a viable lateral-movement path: a compromised file server hosting a malicious RDP shortcut led to SYSTEM-level execution on the admin workstation that opened it. The TCP/IP CVE has no public PoC at time of release but Microsoft rated exploitation "more likely" within 30 days.

How to patch

⚠

Known issues

May cause issues with legacy IPv6 transition technologies (6to4, ISATAP, Teredo). Validate in a staging ring before rolling to hosts that depend on these protocols.

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5082126

Manual remediation steps

⏱ 30–60 minutes including reboot

Check if KB5082126 is Installed

Get-HotFix -Id KB5082126
# No output = patch not installed

Apply via Windows Update

Open Settings → Windows Update

Click Check for updates

Install all available updates

Restart when prompted

Apply Manually

Download KB5082126 from https://catalog.update.microsoft.com

Run the MSU installer as Administrator

Restart the server

Apply via WSUS / SCCM

Approve KB5082126 in your patch management console.

Verify

Get-HotFix -Id KB5082126
# InstalledOn date must appear

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

Scanner Cross-Reference

Tenable Plugin306448

Qualys QID379110

Rapid7msft-cve-2026-32157

References

↗ CVE-2026-32157 ↗ MSRC Advisory ↗ NVD ↗ KBKB5082126

CVEs in this update3 fixes · Patch-to-CVE mapping

Patch ID	CVE ID	Vulnerability Name / Type	CVSS	Reference
KB5082126	CVE-2026-32157	Remote Code Execution — Remote Desktop Client	8.8	NVD ↗
KB5082126	CVE-2026-33827	Remote Code Execution — Windows TCP/IP	7.5	NVD ↗
KB5082126	CVE-2026-32225	Security Feature Bypass — Windows Shell	5.5	NVD ↗