KB5087539: Windows Server 2025 Security Update (May 2026)
A single crafted network request can give an attacker code execution on a Windows domain controller — the keys to the entire Active Directory forest.
An attacker who can reach a domain controller over the network — and any machine on the corporate network can reach one — can send a single crafted Netlogon packet and execute code as SYSTEM on the DC. Code execution as SYSTEM on a domain controller means immediate access to the AD database (ntds.dit), every domain password hash, every Kerberos ticket-granting-ticket the controller has issued, and the ability to forge new ones at will. The forest is effectively owned.
Netlogon is the Windows service that handles authentication between domain members and domain controllers — it runs on every domain controller, on every domain-joined Windows machine, and is fundamental to how Active Directory works. A stack-based buffer overflow in how Netlogon parses incoming requests lets an unauthenticated attacker on the network send a crafted packet that overwrites the call stack and redirects execution. On a domain controller, the Netlogon service runs as SYSTEM.
Probably yes if any of these apply:
Affected OS versions
A ransomware affiliate gains initial access through a phishing email on a single workstation. From that workstation they scan the network for domain controllers — trivial, because every domain member knows where its DCs are. They send the Netlogon exploit, land code as SYSTEM on the DC, extract the krbtgt key, and forge Golden Tickets that grant them administrative access to every machine in the domain indefinitely. This is the same pattern as Zerologon (CVE-2020-1472) but with full code execution rather than authentication bypass.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5087539Manual remediation steps
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
# If this returns the KB, you are already patched. If it returns nothing, continue.
Get-HotFix -Id KB5087539 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
# Trigger an immediate scan and install
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5087539)
Manual download (offline or air-gapped servers):
3. Reboot
Restart-Computer -Force
Verification
After the reboot:
# The KB must appear with an InstalledOn date
Get-HotFix -Id KB5087539
# Confirm OS build advanced
[System.Environment]::OSVersion.Version
If Get-HotFix returns nothing for KB5087539, the install did not take — re-run the update from a different channel.
Rollback
# Remove the update (last resort — only if the update breaks a workload)
wusa.exe /uninstall /kb:5087539 /quiet /norestart
# Reboot after uninstall
Cumulative updates can be removed but the server then loses every fix that update delivered, including this one. Prefer rolling forward to a newer cumulative.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.