KB5063878: Windows Server 2025 Security Update (August 2025)
Opening an Office document or any file with an embedded malicious JPEG can give an attacker complete control of your Windows Server.
An attacker who can deliver a file to a user — by email attachment, web download, instant message, or shared drive — can embed a malicious JPEG inside an Office document or any other container that uses windowscodecs.dll. When a user opens the file, code runs in the context of the application: typically the user, but on a server where Office runs under a service account that is often a service account with sensitive access. From that foothold the attacker installs persistence, harvests credentials, or pivots to higher-value targets.
The Windows Imaging Component, implemented in windowscodecs.dll, is the system-wide library every Windows application uses to decode and re-encode image formats — JPEG, PNG, TIFF, and more. Office, Outlook, Explorer thumbnails, and countless third-party apps depend on it. A flaw in how the library handles JPEGs with a non-standard data-precision value leaves two function pointers uninitialized when the image is re-encoded. An attacker who can get a vulnerable application to process a crafted JPEG can hijack one of those pointers and run their own code.
Probably yes if any of these apply:
Affected OS versions
A finance team receives an invoice attachment from what looks like a known vendor. The Word document carries an embedded crafted JPEG. Word renders the image through windowscodecs.dll, triggers the uninitialized pointer dereference, and the attacker has code running as the finance user — who in this organisation has read access to the shared drive holding payroll. Within an hour the attacker has exfiltrated tax records and is staging ransomware.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5063878Manual remediation steps
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
# If this returns the KB, you are already patched. If it returns nothing, continue.
Get-HotFix -Id KB5063878 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
# Trigger an immediate scan and install
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5063878)
Manual download (offline or air-gapped servers):
3. Reboot
Restart-Computer -Force
Verification
After the reboot:
# The KB must appear with an InstalledOn date
Get-HotFix -Id KB5063878
# Confirm OS build advanced
[System.Environment]::OSVersion.Version
If Get-HotFix returns nothing for KB5063878, the install did not take — re-run the update from a different channel.
Rollback
# Remove the update (last resort — only if the update breaks a workload)
wusa.exe /uninstall /kb:5063878 /quiet /norestart
# Reboot after uninstall
Cumulative updates can be removed but the server then loses every fix that update delivered, including this one. Prefer rolling forward to a newer cumulative.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.