Windows Server 2019 — KB5025288 — multiple vulnerabilities (20 CVEs) — patch and remediation guide

📖 ~4 min read  •  Source: Microsoft KB5025288 • MSRC update-guide entry

Related CVEs: CVE-2023-21554 CVE-2023-28219 CVE-2023-28220 CVE-2023-28231 CVE-2023-28232 CVE-2023-28250 CVE-2023-21769 CVE-2023-21729  +12 more

Affected components: Windows Server 2019 (Server Core installation)

Table of contents

1. Symptom & Impact
2. Environment & Reproduction
3. Root Cause Analysis
4. Quick Triage
5. Step-by-Step Diagnosis
6. Solution – Primary Fix
7. Solution – Alternative Approaches
8. Verification & Acceptance Criteria
9. Rollback Plan
10. Prevention & Hardening
11. Related Errors & Cross-Refs
12. References & Further Reading

Symptom & Impact

On Windows Server 2019 hosts that have Windows Server 2019 (Server Core installation) in scope and are missing KB5025288, the operating system is exposed to the vulnerability set above. Symptoms range from a stalled Windows Update / WSUS scan, repeated “pending reboot” states, audit findings from Defender for Endpoint and vulnerability scanners (Qualys, Tenable, Rapid7), through to outright remote exploitation for the Critical-rated issues. Impact widens whenever the host serves Active Directory, Exchange, IIS, SMB file shares, or RDP / Remote Desktop Gateway traffic.

Environment & Reproduction

Reproduction targets Windows Server 2019. Confirm OS build and whether KB5025288 is already installed using PowerShell (run as Administrator):

Get-ComputerInfo | Select-Object WindowsProductName, OsVersion, OsBuildNumber, OsHardwareAbstractionLayer
[System.Environment]::OSVersion
Get-HotFix -Id KB5025288 -ErrorAction SilentlyContinue
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 30
wmic qfe list brief /format:table

Trigger the workflow that exposes KB5025288 — multiple vulnerabilities (20 CVEs) — patch and remediation guide while collecting evidence:

Get-WinEvent -LogName System -MaxEvents 200 | Where-Object {$_.LevelDisplayName -in @("Error","Critical","Warning")}
Get-WinEvent -LogName "Microsoft-Windows-WindowsUpdateClient/Operational" -MaxEvents 100
Get-WinEvent -LogName Application -MaxEvents 200 | Where-Object {$_.LevelDisplayName -eq "Error"}
# Fallback GUI path:
winver

Open the Microsoft Update Catalog page for the KB to confirm the exact package name and architecture:

Start-Process "https://www.catalog.update.microsoft.com/Search.aspx?q=KB5025288"

Root Cause Analysis

Root cause is documented by Microsoft in Microsoft KB5025288 and MSRC update-guide entry. The fix ships as a cumulative update for Windows Server 2019; missing it leaves the host exposed to the CVE set above. Correlate the deployment state with WSUS / Configuration Manager / Intune compliance plus the Windows Update client log:

Get-WindowsUpdateLog              # writes %USERPROFILE%DesktopWindowsUpdate.log
Get-Content $env:USERPROFILEDesktopWindowsUpdate.log -Tail 200
# Quick status of the Windows Update agent:
Get-Service wuauserv, BITS, UsoSvc, TrustedInstaller | Format-Table -AutoSize
Get-Service wuauserv | Select-Object Status, StartType

Quick Triage

Run these on Windows Server 2019 to capture the current state of KB5025288:

Get-HotFix -Id KB5025288 -ErrorAction SilentlyContinue   # Found = patched, NotFound = exposed
Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 10
Get-CimInstance Win32_QuickFixEngineering | Sort-Object InstalledOn -Descending | Select-Object -First 10
Get-Service | Where-Object {$_.Status -ne 'Running' -and $_.StartType -eq 'Automatic'}
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction, DefaultOutboundAction
Get-MpComputerStatus | Select-Object AMServiceEnabled, AntivirusEnabled, RealTimeProtectionEnabled, NISEnabled, AMEngineVersion, AntivirusSignatureVersion
Test-Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionComponent Based ServicingRebootPending"

Classic cmd.exe alternatives, useful in Server Core / minimal sessions:

wmic qfe where "HotFixID='KB5025288'" get HotFixID,InstalledOn,Description
sc query wuauserv
shutdown /r /t 0   # only if you intend to reboot now

Step-by-Step Diagnosis

1. List the most recent installed updates and confirm whether KB5025288 is present.

   <pre><code class="language-powershell">Get-HotFix | Sort-Object InstalledOn -Descending | Select-Object -First 30
   Get-HotFix -Id KB5025288 -ErrorAction SilentlyContinue</code></pre>
   

2. Tail the relevant Windows event logs for update-, kernel- and service-related errors.

   <pre><code class="language-powershell">Get-WinEvent -LogName &quot;Microsoft-Windows-WindowsUpdateClient/Operational&quot; -MaxEvents 50
   Get-WinEvent -LogName System -MaxEvents 100 | Where-Object {$_.LevelDisplayName -eq &quot;Error&quot;}
   Get-WinEvent -LogName Application -MaxEvents 100 | Where-Object {$_.LevelDisplayName -eq &quot;Error&quot;}
   Get-WinEvent -LogName &quot;Microsoft-Windows-Servicing&quot; -MaxEvents 50</code></pre>
   

3. Inspect Windows Firewall posture and rules touching the affected component.

   <pre><code class="language-powershell">Get-NetFirewallProfile
   Get-NetFirewallRule -Enabled True | Select-Object DisplayName, Direction, Action, Profile | Sort-Object DisplayName
   Get-NetFirewallRule -DisplayName &quot;*SMB*&quot;</code></pre>
   

4. Confirm Microsoft Defender Antivirus is healthy and engine + signatures are current.

   <pre><code class="language-powershell">Get-MpComputerStatus
   Update-MpSignature
   Start-MpScan -ScanType QuickScan
   Get-MpThreatDetection | Select-Object -First 20</code></pre>
   

5. Check that critical services for the affected component are running.

   <pre><code class="language-powershell">Get-Service -Name wuauserv, BITS, TrustedInstaller, UsoSvc, WinDefend
   Get-Service -Name LanmanServer, LanmanWorkstation
   Get-Service | Where-Object {$_.Status -ne &#x27;Running&#x27; -and $_.StartType -eq &#x27;Automatic&#x27;}</code></pre>
   

6. Cross-reference findings with Microsoft KB5025288 and MSRC update-guide entry to confirm the failure mode tracks the documented vulnerability.

Solution – Primary Fix

Install KB5025288 using the PSWindowsUpdate module (clean, scriptable, works against WSUS and Microsoft Update):

# One-time install of the PowerShell update helper module:
Install-Module -Name PSWindowsUpdate -Force -Scope AllUsers
Import-Module PSWindowsUpdate
Get-Command -Module PSWindowsUpdate | Select-Object -First 10

# List pending Microsoft / WSUS-approved updates first:
Get-WindowsUpdate

# Install just this KB:
Get-WindowsUpdate -KBArticleID KB5025288 -AcceptAll -Install -AutoReboot

# Or install everything pending and reboot when needed:
Get-WindowsUpdate -AcceptAll -Install -AutoReboot

If you have the standalone .msu from the Microsoft Update Catalog (useful for air-gapped or DMZ hosts), apply it with wusa.exe:

# After downloading windows10.0-kb5025288-x64.msu from the catalog:
wusa.exe C:Updateswindows10.0-kb5025288-x64.msu /quiet /norestart
shutdown.exe /r /t 600 /c "Security patch — host rebooting in 10 minutes"

WSUS / Configuration Manager server-side workflow (rolls the KB out across the fleet):

# On the WSUS server:
Import-Module UpdateServices
Get-WsusServer | Get-WsusUpdate -Classification Security -Approval Unapproved -Status FailedOrNeeded | Format-Table Title, KnowledgebaseArticles -AutoSize
$u = Get-WsusUpdate -Classification Security | Where-Object { $_.Update.KnowledgebaseArticles -contains '5025288' } | Select-Object -First 1
Approve-WsusUpdate -Update $u -Action Install -TargetGroupName 'Servers'
Invoke-WsusServerCleanup -CleanupObsoleteUpdates -DeclineSupersededUpdates -DeclineExpiredUpdates

# Configuration Manager (SCCM) equivalent on a CAS / primary site server:
Import-Module ConfigurationManager
Get-CMSoftwareUpdate -Fast -ArticleId '5025288' | Select-Object LocalizedDisplayName, IsDeployed
Start-CMSoftwareUpdateDeployment -SoftwareUpdateName '*KB5025288*' -DeploymentName 'Patch-Ring-Servers' -CollectionName 'All Windows Servers' -DeploymentType Required

Hyper-V hosts: live-migrate workload off the host first, patch, reboot, then migrate back:

Get-VM | Select-Object Name, State, ComputerName
Get-VM | Move-VM -DestinationHost <peer-host> -IncludeStorage:$false
Get-WindowsUpdate -KBArticleID KB5025288 -AcceptAll -Install -AutoReboot
# After reboot, live-migrate VMs back to balance the cluster:
Get-VM -ComputerName <peer-host> | Where-Object {$_.Notes -match 'Owner=Windows Server 2019'} | Move-VM -DestinationHost (hostname)

Reboot when the installer asks. Defer-then-reboot in a maintenance window:

Restart-Computer -Force
# Or schedule a delayed reboot with a notice banner:
shutdown.exe /r /t 1800 /c "KB5025288 applied — reboot in 30 minutes"

Solution – Alternative Approaches

If the primary path is not viable, pick from these:

• Push the update through Microsoft Intune (Update Rings / Expedited Quality Updates) for cloud-managed servers:

  # In the Intune portal:
  # Devices > Windows updates > Quality updates > Create profile
  # Select KB, target the 'Servers - Pilot' or 'Servers - Broad' ring, set deadline + grace period.
  # Then push via Graph for automation:
  Connect-MgGraph -Scopes 'DeviceManagementConfiguration.ReadWrite.All'
  Get-MgDeviceManagementWindowsQualityUpdateProfile

• Use UsoClient to kick the Windows Update client into an immediate scan + install (handy in unattended scripts):

  UsoClient.exe StartScan
  UsoClient.exe StartDownload
  UsoClient.exe StartInstall
  UsoClient.exe RestartDevice

• Use DISM to add the package straight from a .cab (Server Core friendly):

  DISM /Online /Add-Package /PackagePath:C:Updateswindows10.0-kb5025288-x64.cab /NoRestart
  DISM /Online /Get-Packages /Format:Table | findstr /I "KB5025288"

• Where vendor compatibility blocks the cumulative update, harden the host while you wait:

  Set-NetFirewallProfile -All -DefaultInboundAction Block
  Get-NetFirewallRule -DisplayName "*SMB*" | Set-NetFirewallRule -Enabled True
  Set-MpPreference -EnableNetworkProtection Enabled
  Set-MpPreference -PUAProtection Enabled
  Set-MpPreference -DisableRealtimeMonitoring $false

• Take a Hyper-V production checkpoint of a VM-hosted Windows Server before patching for fast rollback:

  Checkpoint-VM -Name <vm> -SnapshotName 'pre-KB5025288'
  # revert later via:
  Restore-VMCheckpoint -Name <vm> -VMCheckpoint (Get-VMCheckpoint -VMName <vm> -Name 'pre-KB5025288')

• Run the System File Checker and DISM image-health repair if the previous attempt left a broken servicing stack:

  sfc /scannow
  DISM /Online /Cleanup-Image /RestoreHealth
  DISM /Online /Cleanup-Image /StartComponentCleanup /ResetBase

Verification & Acceptance Criteria

All of these should pass after the fix:

Get-HotFix -Id KB5025288                                    # must return one row
Get-ComputerInfo | Select-Object OsBuildNumber, OsHardwareAbstractionLayer
Test-Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionComponent Based ServicingRebootPending"   # must return $false
Get-Service wuauserv, BITS, TrustedInstaller, WinDefend | Format-Table -AutoSize
Get-WinEvent -LogName System -MaxEvents 100 | Where-Object {$_.LevelDisplayName -in @("Error","Critical")} | Select-Object -First 5
Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, AMEngineVersion
Get-NetFirewallProfile | Select-Object Name, Enabled, DefaultInboundAction

The original reproduction for KB5025288 — multiple vulnerabilities (20 CVEs) — patch and remediation guide must not trigger across two consecutive runs, and vulnerability scanners (Defender for Endpoint, Qualys, Tenable) must stop flagging the CVEs above for this host.

Rollback Plan

Capture state before any change:

Get-HotFix | Export-Csv C:rollbackhotfix-pre.csv -NoTypeInformation
Get-Service | Export-Csv C:rollbackservice-pre.csv -NoTypeInformation
wbadmin start backup -backupTarget:E: -include:C: -allCritical -quiet
# Hyper-V checkpoint (if this server is a VM):
Checkpoint-VM -Name (hostname) -SnapshotName 'pre-KB5025288'

To revert if the patch is bad:

wusa.exe /uninstall /kb:5025288 /quiet /norestart
# Or via DISM — first locate the exact package name then remove it:
DISM /Online /Get-Packages | findstr /I "KB5025288"
DISM /Online /Remove-Package /PackageName:<full-package-name-from-above> /NoRestart
Restart-Computer -Force
# Or roll the whole VM back to the pre-patch checkpoint:
Restore-VMCheckpoint -Name (hostname) -VMCheckpoint (Get-VMCheckpoint -VMName (hostname) -Name 'pre-KB5025288')

Prevention & Hardening

Reduce the chance of this recurring on Windows Server 2019:

• Enable automatic Windows Update with sensible deferrals via Group Policy or PowerShell:

  # Inspect current Windows Update for Business policy:
  Get-ItemProperty 'HKLM:SOFTWAREPoliciesMicrosoftWindowsWindowsUpdate' -ErrorAction SilentlyContinue
  # Or schedule daily PSWindowsUpdate runs:
  Register-ScheduledJob -Name 'PSWindowsUpdate-Daily' -ScriptBlock { Import-Module PSWindowsUpdate; Get-WindowsUpdate -AcceptAll -Install -AutoReboot } -Trigger (New-JobTrigger -Daily -At 02:30)

• Run an internal WSUS or Configuration Manager so updates ship through controlled rings (pilot → broad → critical):

  Install-WindowsFeature -Name UpdateServices -IncludeManagementTools
  Get-WsusServer | Get-WsusClassification | Where-Object {$_.Classification.Title -in 'Critical Updates','Security Updates'} | Set-WsusClassification
  Invoke-WsusServerCleanup -DeclineSupersededUpdates -DeclineExpiredUpdates -CleanupObsoleteComputers

• Onboard the host to Microsoft Defender for Endpoint and turn on tamper protection, EDR-in-block mode, and ASR rules:

  Set-MpPreference -EnableControlledFolderAccess Enabled
  Set-MpPreference -EnableNetworkProtection Enabled
  Set-MpPreference -AttackSurfaceReductionRules_Ids 'BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550' -AttackSurfaceReductionRules_Actions Enabled
  Get-MpPreference | Select-Object EnableControlledFolderAccess, EnableNetworkProtection, AttackSurfaceReductionRules_Ids

• Lock down the host firewall — default-deny inbound, allow listed traffic only, log drops:

  Set-NetFirewallProfile -All -DefaultInboundAction Block -DefaultOutboundAction Allow
  Set-NetFirewallProfile -All -LogAllowed True -LogBlocked True -LogFileName %systemroot%System32LogFilesFirewallpfirewall.log
  Get-NetFirewallRule -DisplayName "*Remote Desktop*"

• If domain-joined, keep GPO + AD replication healthy so security baselines actually land:

  gpupdate /force
  gpresult /h C:tempgpo-report.html
  repadmin /replsummary
  dcdiag /v /c /e

• Apply the CIS / Microsoft Security Compliance Toolkit baseline for Windows Server 2019 and re-audit monthly with PolicyAnalyzer.

• Keep a tested pre-flight: live-migrate Hyper-V workload off the host, snapshot the server, then patch — covered in the rollback plan above.

Related Errors & Cross-Refs

Issues that commonly surface alongside KB5025288 — multiple vulnerabilities (20 CVEs) — patch and remediation guide: Windows Update stuck at 0%, error 0x8024401C, ‘Pending Reboot’ loops, SMB / RDP authentication failures, Defender real-time protection turning itself off, and TrustedInstaller pegged at 100% CPU during servicing. Useful triage:

Get-WinEvent -LogName "Microsoft-Windows-WindowsUpdateClient/Operational" -MaxEvents 50
Get-Service wuauserv, BITS, TrustedInstaller, UsoSvc | Format-Table -AutoSize
sfc /scannow
DISM /Online /Cleanup-Image /RestoreHealth
Test-Path "HKLM:SOFTWAREMicrosoftWindowsCurrentVersionComponent Based ServicingRebootPending"
Get-MpComputerStatus

View all windows-server-2019 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: Microsoft KB5025288 (MSRC update-guide entry). Built-in help on Windows Server 2019:

Get-Help Get-HotFix -Full
Get-Help Get-WindowsUpdate -Full      # from PSWindowsUpdate
Get-Help Get-WinEvent -Full
Get-Help Set-NetFirewallRule -Full
Get-Help Get-MpComputerStatus -Full
Get-Help Restart-Computer -Full
Get-Help Approve-WsusUpdate -Full
Get-Help Start-CMSoftwareUpdateDeployment -Full

Other resources: Windows Server docs, MSRC Update Guide, Microsoft Update Catalog, and the Configuration Manager software-updates guide for component-level notes implicated in KB5025288 — multiple vulnerabilities (20 CVEs) — patch and remediation guide.