KB5087539: Windows Server 2025 Security Update (May 2026)
An attacker who can answer a DNS query — by running a malicious DNS server or by spoofing one — can execute code on any Windows Server that resolves a name.
An attacker who can answer a DNS query on a target server — by registering an evil domain and getting the server to look it up, by running a DNS server the target resolves through, or by spoofing responses on the network path — can send a crafted DNS reply that triggers the overflow and runs code in the DNS Client. The DNS Client runs as SYSTEM, so the attacker lands with the highest privileges, with no credentials and no user interaction beyond the server initiating an outbound lookup.
The Windows DNS Client is the component every Windows machine uses to look up names — every web request, every domain authentication, every Windows Update check. A heap-based buffer overflow in how the DNS Client parses responses lets a crafted reply corrupt the client's heap and execute code. The vulnerability is in the client side, which means the attacker is whoever answers the lookup: a malicious authoritative DNS server, a man-in-the-middle on the network path, or an attacker who can get the server to resolve a name they control.
Probably yes if any of these apply:
Affected OS versions
An attacker registers a domain and waits. Inside a target environment, a server visits a perfectly normal-looking link in a notification email or a software-update check or a logging endpoint, and the Windows DNS Client looks up the attacker's domain. The crafted reply triggers the heap overflow, code runs as SYSTEM on the server, and the attacker has a foothold on a server that never opened anything to the internet — only resolved a name. This is a particularly nasty class of bug because outbound DNS is allowed almost everywhere.
Manual download
For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.
↗ Microsoft Update CatalogKB5087539Manual remediation steps
Prerequisites
Estimated time
20–40 minutes per server (download + install + reboot)
Reboot required
Yes — install the cumulative update and reboot the server before the fix is active.
Steps
1. Confirm the server is missing the patch
# If this returns the KB, you are already patched. If it returns nothing, continue.
Get-HotFix -Id KB5087539 -ErrorAction SilentlyContinue
2. Install the update — pick one channel
Windows Update / WSUS (preferred):
# Trigger an immediate scan and install
UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5087539)
Manual download (offline or air-gapped servers):
3. Reboot
Restart-Computer -Force
Verification
After the reboot:
# The KB must appear with an InstalledOn date
Get-HotFix -Id KB5087539
# Confirm OS build advanced
[System.Environment]::OSVersion.Version
If Get-HotFix returns nothing for KB5087539, the install did not take — re-run the update from a different channel.
Rollback
# Remove the update (last resort — only if the update breaks a workload)
wusa.exe /uninstall /kb:5087539 /quiet /norestart
# Reboot after uninstall
Cumulative updates can be removed but the server then loses every fix that update delivered, including this one. Prefer rolling forward to a newer cumulative.
Notes
No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.