KB5055570: Windows Server 2008 R2 Security Update (April 2025)

🗓️ 08 Apr 2025 00:00:00Reported by TenableType

Remote Windows Server 2008 R2 is missing security update, exposing multiple vulnerabilities.

Reporter	Title	Published	Views	Family All 567
GithubExploit	Exploit for Use After Free in Microsoft	14 May 202501:45	–	githubexploit
GithubExploit	Exploit for Use After Free in Microsoft	27 Oct 202509:46	–	githubexploit
GithubExploit	Exploit for Use After Free in Microsoft	30 Jul 202508:04	–	githubexploit
GithubExploit	exploits	25 May 202601:12	–	githubexploit
ATTACKERKB	CVE-2025-29824	8 Apr 202500:00	–	attackerkb
Information Security Automation	About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-29824) vulnerability	10 May 202514:43	–	avleonov
Information Security Automation	May “In the Trend of VM” (#15): vulnerabilities in Microsoft Windows and the Erlang/OTP framework	21 May 202513:22	–	avleonov
Information Security Automation	About Elevation of Privilege – Windows Common Log File System Driver (CVE-2025-32701, CVE-2025-32706) vulnerabilities	10 Jun 202512:14	–	avleonov
Information Security Automation	April Microsoft Patch Tuesday	10 Apr 202522:59	–	avleonov
Information Security Automation	About Elevation of Privilege – Windows Process Activation (CVE-2025-21204) vulnerability	29 Apr 202521:04	–	avleonov

Source	Link
support	www.support.microsoft.com/help/5055561
support	www.support.microsoft.com/help/5055570
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.

#
# The descriptive text and package checks in this plugin were
# extracted from the Microsoft Security Updates API. The text
# itself is copyright (C) Microsoft Corporation.
##

include('compat.inc');

if (description)
{
  script_id(234037);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/09/17");

  script_cve_id(
    "CVE-2025-21191",
    "CVE-2025-21197",
    "CVE-2025-21203",
    "CVE-2025-21204",
    "CVE-2025-21205",
    "CVE-2025-21221",
    "CVE-2025-21222",
    "CVE-2025-26641",
    "CVE-2025-26647",
    "CVE-2025-26648",
    "CVE-2025-26663",
    "CVE-2025-26664",
    "CVE-2025-26665",
    "CVE-2025-26667",
    "CVE-2025-26668",
    "CVE-2025-26669",
    "CVE-2025-26670",
    "CVE-2025-26671",
    "CVE-2025-26672",
    "CVE-2025-26673",
    "CVE-2025-26676",
    "CVE-2025-26679",
    "CVE-2025-26686",
    "CVE-2025-26687",
    "CVE-2025-27469",
    "CVE-2025-27471",
    "CVE-2025-27473",
    "CVE-2025-27474",
    "CVE-2025-27477",
    "CVE-2025-27478",
    "CVE-2025-27481",
    "CVE-2025-27484",
    "CVE-2025-27487",
    "CVE-2025-27727",
    "CVE-2025-27732",
    "CVE-2025-27733",
    "CVE-2025-27737",
    "CVE-2025-27740",
    "CVE-2025-27741",
    "CVE-2025-27742",
    "CVE-2025-29810",
    "CVE-2025-29824"
  );
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2025/04/29");
  script_xref(name:"MSKB", value:"5055561");
  script_xref(name:"MSKB", value:"5055570");
  script_xref(name:"MSFT", value:"MS25-5055561");
  script_xref(name:"MSFT", value:"MS25-5055570");
  script_xref(name:"IAVA", value:"2025-A-0256-S");
  script_xref(name:"IAVA", value:"2025-A-0255-S");

  script_name(english:"KB5055570: Windows Server 2008 R2 Security Update (April 2025)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is missing security update 5055570. It is, therefore, affected by multiple vulnerabilities

  - Use after free in Windows Win32K - GRFX allows an unauthorized attacker to elevate privileges over a
    network. (CVE-2025-26687)

  - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute 
    unauthorized arbitrary commands. (CVE-2025-27481)
  
  - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges. (CVE-2025-27740)
  
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/help/5055561");
  script_set_attribute(attribute:"see_also", value:"https://support.microsoft.com/help/5055570");
  script_set_attribute(attribute:"solution", value:
"Apply Security Update 5055570 or Cumulative Update 5055561");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-27481");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2025-27740");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20, 59, 121, 122, 125, 126, 200, 284, 367, 400, 416, 591, 667, 787, 908, 1390);

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/04/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/04/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/04/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows_server_2008:r2");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include('smb_func.inc');
include('smb_hotfixes.inc');
include('smb_hotfixes_fcheck.inc');
include('smb_reg_query.inc');

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

var bulletin = 'MS25-04';
var kbs = make_list(
  '5055570',
  '5055561'
);

if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit('SMB/Registry/Enumerated');
get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);

if (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

var share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

var os_name = get_kb_item("SMB/ProductName");

if (("windows server 2008 r2" >< tolower(os_name)) &&
  smb_check_rollup(os:'6.1',
                   sp:1,
                   rollup_date:'04_2025',
                   bulletin:bulletin,
                   rollup_kb_list:[5055570, 5055561])
)
{
  replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
}

17 Sep 2025 00:00Current

9.2High risk

Vulners AI Score9.2

CVSS 3.18.8

EPSS0.29274

SSVC