IRONSMITHINTEL
CRITICALCVSS9.8
|CVE-2024-43639|Auth: none|Reboot: required|Manual only

KB5046617: Windows Server 2025 Security Update (November 2024)

A crafted Kerberos response can give an attacker code execution on any Windows Server configured as a Kerberos KDC Proxy.

Published Nov 12, 2024 · Updated May 21, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker who can persuade a KDC Proxy server to fetch a Kerberos response from a server they control — by hijacking DNS for the configured DC, MITM-ing the connection, or directly redirecting the proxy — can return a crafted response with oversized length values that triggers the integer overflow and lets them run code in the KPSSVC context. The result is unauthenticated remote code execution on the proxy, with SYSTEM privileges.

How the attack works

The Kerberos KDC Proxy Service (KPSSVC) lets remote clients perform Kerberos authentication over HTTPS, used by features like Always-On VPN, Direct Access, and Remote Desktop Gateway to give external clients access to AD authentication without exposing Kerberos on the internet. A numeric-truncation / integer-overflow flaw in how KPSSVC parses Kerberos responses lets an attacker who can lure the proxy into connecting to a malicious domain controller corrupt memory and execute code. Domain controllers themselves are NOT directly vulnerable.

Am I affected?Quick check

Probably yes if any of these apply:

Windows Servers running the Kerberos KDC Proxy Service (KPSSVC) — typically Remote Desktop Gateway, Always-On VPN, or DirectAccess servers

Affected OS versions

Windows Server 2025
Real-world incidentsWhat we've seen

An organisation hosts a Windows Server in a DMZ as a Kerberos KDC Proxy to support Always-On VPN clients. An attacker compromises the network path between the proxy and the internal DC — for example by ARP-poisoning the proxy's VLAN. The attacker returns a crafted Kerberos response; the proxy parses it, overflows, and the attacker has SYSTEM on a DMZ server that has direct authenticated access into the AD environment.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5046617

Manual remediation steps

Prerequisites

    1
    Local administrator on the target server
    1
    Maintenance window with reboot capacity
    1
    Current backup or snapshot you can roll back to
    1
    Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5046617 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5046617)

Manual download (offline / air-gapped):

1
Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5046617
2
Download the MSU for Windows Server 2025 that matches your architecture (x64).
3
Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5046617
[System.Environment]::OSVersion.Version

If Get-HotFix returns nothing for KB5046617, the install did not take — re-run from a different channel.

Rollback

wusa.exe /uninstall /kb:5046617 /quiet /norestart
# Reboot after uninstall

Removing a cumulative update also removes every fix it delivered — prefer rolling forward.

Notes

    1
    This entry covers Windows Server 2025 specifically (KB5046617). Other Windows Server versions have their own KB for CVE-2024-43639.
    1
    Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43639 and NVD https://nvd.nist.gov/vuln/detail/CVE-2024-43639.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2024-43639MSRC AdvisoryNVDKBKB5046617