KB5055527: Windows Server version 23H2 Security Update (April 2025)

🗓️ 08 Apr 2025 00:00:00Reported by TenableType

Missing security update 5055527 affects Windows 11 and Server 23H2 with multiple vulnerabilities.

Reporter	Title	Published	Views	Family All 994
GithubExploit	Exploit for Use After Free in Microsoft	14 May 202501:45	–	githubexploit
GithubExploit	Exploit for Use After Free in Microsoft	3 Sep 202503:31	–	githubexploit
GithubExploit	Exploit for Use After Free in Microsoft	27 Oct 202509:46	–	githubexploit
GithubExploit	Exploit for Use After Free in Microsoft	30 Jul 202508:04	–	githubexploit
GithubExploit	exploits	25 May 202601:12	–	githubexploit
GithubExploit	Exploit for Use After Free in Microsoft	1 Sep 202510:49	–	githubexploit
ATTACKERKB	CVE-2025-29811	8 Apr 202518:16	–	attackerkb
ATTACKERKB	CVE-2025-29824	8 Apr 202500:00	–	attackerkb
ATTACKERKB	CVE-2025-29812	8 Apr 202518:16	–	attackerkb
ATTACKERKB	CVE-2025-29809	8 Apr 202518:16	–	attackerkb

Source	Link
support	www.support.microsoft.com/help/5055527
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.

#
# The descriptive text and package checks in this plugin were
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
##

include('compat.inc');

if (description)
{
  script_id(234048);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/06");

  script_cve_id(
    "CVE-2025-21191",
    "CVE-2025-21197",
    "CVE-2025-21203",
    "CVE-2025-21204",
    "CVE-2025-21205",
    "CVE-2025-21221",
    "CVE-2025-21222",
    "CVE-2025-24058",
    "CVE-2025-24060",
    "CVE-2025-24062",
    "CVE-2025-24073",
    "CVE-2025-24074",
    "CVE-2025-26635",
    "CVE-2025-26637",
    "CVE-2025-26639",
    "CVE-2025-26640",
    "CVE-2025-26641",
    "CVE-2025-26647",
    "CVE-2025-26648",
    "CVE-2025-26649",
    "CVE-2025-26651",
    "CVE-2025-26663",
    "CVE-2025-26664",
    "CVE-2025-26665",
    "CVE-2025-26666",
    "CVE-2025-26667",
    "CVE-2025-26668",
    "CVE-2025-26669",
    "CVE-2025-26670",
    "CVE-2025-26671",
    "CVE-2025-26672",
    "CVE-2025-26673",
    "CVE-2025-26674",
    "CVE-2025-26675",
    "CVE-2025-26676",
    "CVE-2025-26678",
    "CVE-2025-26679",
    "CVE-2025-26681",
    "CVE-2025-26686",
    "CVE-2025-26687",
    "CVE-2025-26688",
    "CVE-2025-27467",
    "CVE-2025-27469",
    "CVE-2025-27471",
    "CVE-2025-27473",
    "CVE-2025-27474",
    "CVE-2025-27476",
    "CVE-2025-27477",
    "CVE-2025-27478",
    "CVE-2025-27479",
    "CVE-2025-27480",
    "CVE-2025-27481",
    "CVE-2025-27482",
    "CVE-2025-27484",
    "CVE-2025-27487",
    "CVE-2025-27490",
    "CVE-2025-27491",
    "CVE-2025-27492",
    "CVE-2025-27727",
    "CVE-2025-27730",
    "CVE-2025-27731",
    "CVE-2025-27732",
    "CVE-2025-27735",
    "CVE-2025-27736",
    "CVE-2025-27737",
    "CVE-2025-27738",
    "CVE-2025-27739",
    "CVE-2025-27740",
    "CVE-2025-27742",
    "CVE-2025-29809",
    "CVE-2025-29810",
    "CVE-2025-29811",
    "CVE-2025-29812",
    "CVE-2025-29824"
  );
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2025/04/29");
  script_xref(name:"MSKB", value:"5055527");
  script_xref(name:"MSFT", value:"MS25-5055527");
  script_xref(name:"IAVA", value:"2025-A-0256-S");
  script_xref(name:"IAVA", value:"2025-A-0255-S");

  script_name(english:"KB5055527: Windows Server version 23H2 Security Update (April 2025)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is missing security update 5055527. It is, therefore, affected by multiple vulnerabilities

  - Use after free in Windows Win32K - GRFX allows an unauthorized attacker to elevate privileges over a
    network. (CVE-2025-26687)
  
  - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute 
    unauthorized arbitrary commands. (CVE-2025-27481)
  
  - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2025-27740)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/help/5055527");
  script_set_attribute(attribute:"solution", value:
"Apply Security Update 5055527");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-27481");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2025-27740");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20, 59, 121, 122, 125, 126, 190, 200, 284, 345, 362, 367, 400, 410, 415, 416, 591, 667, 693, 749, 787, 822, 908, 922, 1390);

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/04/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/04/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/04/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows_server_23h2");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2025-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include('smb_func.inc');
include('smb_hotfixes.inc');
include('smb_hotfixes_fcheck.inc');
include('smb_reg_query.inc');

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

var bulletin = 'MS25-04';
var kbs = make_list(
  '5055527'
);

if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit('SMB/Registry/Enumerated');
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

var share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  smb_check_rollup(os:'10',
                   os_build:25398,
                   rollup_date:'04_2025',
                   bulletin:bulletin,
                   rollup_kb_list:[5055527])
)
{
  replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}

06 Feb 2026 00:00Current

8.9High risk

Vulners AI Score8.9

CVSS 3.18.8

EPSS0.17982

SSVC