KB5063878: Windows Server 2025 Security Update (August 2025)
An attacker on your network can impersonate a Remote Desktop server, trick users into connecting, and steal their credentials.
An attacker on the same network as a victim — through ARP spoofing, DHCP option injection, or a compromised network device — can intercept an RDP connection request and respond as the spoofed server. The user, seeing what looks like the normal logon prompt, enters their credentials, which the attacker captures. The attacker can then forward the session to the real server or simply walk away with usable administrator credentials.
The Remote Desktop Server is the Windows component that accepts incoming RDP connections — the same service administrators use every day to reach servers. When a client opens an RDP session, the server is supposed to prove its identity before the client sends any credentials. A missing authorisation check lets an attacker who can intercept or redirect RDP traffic present themselves as the legitimate server, with no certificate forgery or man-in-the-middle CA needed.
Probably yes if any of these apply:
Affected OS versions
A red-team operator gains code execution on one workstation inside a corporate LAN. From there they ARP-spoof a single subnet so that traffic to the jump box flows through them. The next administrator who connects via RDP sees what appears to be a normal session; their password lands in the attacker's log. Hours later the attacker uses that password to walk into the production environment as a domain admin.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5063878Manual remediation steps
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
# If this returns the KB, you are already patched. If it returns nothing, continue.
Get-HotFix -Id KB5063878 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
# Trigger an immediate scan and install
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5063878)
Manual download (offline or air-gapped servers):
3. Reboot
Restart-Computer -Force
Verification
After the reboot:
# The KB must appear with an InstalledOn date
Get-HotFix -Id KB5063878
# Confirm OS build advanced
[System.Environment]::OSVersion.Version
If Get-HotFix returns nothing for KB5063878, the install did not take — re-run the update from a different channel.
Rollback
# Remove the update (last resort — only if the update breaks a workload)
wusa.exe /uninstall /kb:5063878 /quiet /norestart
# Reboot after uninstall
Cumulative updates can be removed but the server then loses every fix that update delivered, including this one. Prefer rolling forward to a newer cumulative.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.