← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
tenable:274780 · Disclosed 2025-11-11

KB5068864: Windows 10 Version 1607 / Windows Server 2016 Secur

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a box of sharp tools, not a hand grenade

KB5068864 is the November 11, 2025 cumulative security update for Windows 10 version 1607 and Windows Server 2016, moving affected systems to OS Build 14393.8594. Hosts below that build are missing a bundle of fixes, including a Critical Microsoft Graphics Component RCE (CVE-2025-60724), a High RRAS RCE (CVE-2025-64678), and a long tail of local elevation-of-privilege bugs. In plain English: this is not one flaw, it is a monthly rollup covering several different attack surfaces with very different real-world reachability.

The severity confusion is real: Tenable plugin 274780 itself is rated High, published November 11, 2025 and updated April 3, 2026; the apparent 'Critical' comes from an embedded legacy CVSS v2 10.0 line sourced from CVE-2025-60724, not from the plugin's own severity. For fleet prioritization, the vendor's worst-case score overstates reality because the most dangerous paths require either a specific exposed role like RRAS or an application path that actually feeds untrusted content into the vulnerable parser. That keeps this out of true wormable-Internet-fire territory for most enterprises, but still firmly in HIGH because exposed RRAS and high-value Server 2016 systems are common enough to matter.

"Scary CVEs in the bundle, but real-world exploitation hinges on niche exposure like RRAS or content-parsing paths."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find unpatched 1607 / Server 2016 hosts

An attacker or red team first identifies systems still below 14393.8594 using version fingerprinting, authenticated inventory, or vuln management data. Common operator tooling here is Nessus or nmap plus SMB/WinRM enumeration; defenders usually already have this visibility internally.
Conditions required:
  • Target runs Windows 10 1607 or Windows Server 2016
  • Host is missing KB5068864
  • Attacker can identify OS/build or get asset inventory
Where this breaks in practice:
  • This plugin is version-based, so false prioritization happens if the host is retired, isolated, or not actually running a reachable vulnerable feature
  • Server 2016 is aging, but not every such host is Internet-facing
Detection/coverage: Excellent defender coverage via Nessus/Tenable, SCCM/ConfigMgr, Intune, WSUS, PowerShell inventory, and EDR asset data.
STEP 02

Locate a real attack surface

The useful remote path is not 'any missing host' but a host exposing or invoking a vulnerable component. The cleanest example in this bundle is RRAS: Microsoft documents Routing and Remote Access as a separate server role, and PPTP management traffic uses TCP 1723. Alternate paths depend on software actually feeding attacker-controlled content into the Graphics Component.
Conditions required:
  • RRAS role installed and reachable, or a parser-facing application path exists
  • Firewall/load balancer permits inbound traffic to the service
  • Attacker can reach the host over network or influence content flow
Where this breaks in practice:
  • RRAS is a niche role, not a default Windows Server deployment
  • Many enterprises terminate VPN elsewhere, leaving few RRAS boxes exposed
  • GDI+/graphics parsing on servers is real but usually application-mediated, not a raw listening service
Detection/coverage: Good exposure discovery from external ASM, firewall config review, port scans, and server role inventory; weaker for application-specific parser paths.
STEP 03

Trigger the memory corruption bug

At this point the attacker needs working exploit material, typically a custom exploit rather than a commodity framework module. For the representative RRAS bug (CVE-2025-64678), NVD shows UI:R despite network reachability, which is a meaningful clue that exploitation is not straightforward plug-and-fire. For the Graphics Component bug (CVE-2025-60724), Microsoft scored it 9.8, but practical reach still depends on the vulnerable parsing path being exposed to attacker-controlled input.
Conditions required:
  • A valid exploitation primitive exists for the chosen component
  • Traffic or content reaches the vulnerable code path
  • Mitigations like filtering, content detonation, or role isolation do not stop delivery
Where this breaks in practice:
  • I found no mainstream public exploit chain or KEV evidence for these representative CVEs
  • The highest-severity CVE in the bundle is not equivalent to an unauthenticated service bound to every host
  • Custom exploit development cost is much higher than for commodity edge CVEs
Detection/coverage: Mixed. Network IDS may spot malformed protocol traffic for RRAS if signatures emerge; parser-driven GDI+ exploitation is much harder to catch pre-execution.
STEP 04

Land code execution and expand control

If code execution lands, the attacker is already on a Windows host and can chain the many included EoP fixes to raise privileges or stabilize execution. Common follow-on tooling would be Cobalt Strike, Sliver, Impacket, or living-off-the-land PowerShell and service creation. At that stage the host becomes a pivot point into AD, data stores, or management infrastructure.
Conditions required:
  • Initial code execution succeeds
  • EDR does not kill the payload or lateral movement
  • Compromised host has useful credentials, trust, or network adjacency
Where this breaks in practice:
  • Modern EDR is very good at catching the post-exploitation phase even when the initial memory bug succeeds
  • Blast radius varies sharply by host role; a kiosk and a domain-adjacent server are not the same risk
Detection/coverage: Strong downstream detection from EDR, Sysmon, PowerShell logging, service creation events, LSASS access detections, and east-west network analytics.
03 · Intelligence Metadata

The supporting signals.

What this plugin really isA cumulative Windows security update check, not a single CVE. Tenable says the host is missing KB5068864, which rolls up multiple RCE and EoP fixes.
Tenable severity vs. 'Critical' confusionPlugin 274780 is High, not Critical. The apparent Critical label comes from the plugin's embedded CVSS v2 10.0 line sourced from CVE-2025-60724; the plugin page also shows CVSS v3 8.8 High sourced from CVE-2025-64678.
In-the-wild statusI found no vendor or CISA evidence of active exploitation for the representative RCEs in this bundle, and they are not present in the current CISA KEV catalog.
Public PoC availabilityFor the highest-scored representative bug, GitHub Advisory for CVE-2025-60724 shows 'No known source code'. I did not find a mainstream public exploit path for CVE-2025-64678 either.
EPSSGitHub Advisory reports EPSS 0.166% (37th percentile) for CVE-2025-60724, which is low and matches the absence of exploitation noise.
Representative CVSSCVE-2025-60724 = 9.8 / CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H; CVE-2025-64678 = 8.8 / CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The first is terrifying on paper; the second already bakes in user interaction.
Affected versionsWindows 10 version 1607 and Windows Server 2016 before OS Build 14393.8594 are affected by this update gap.
Fixed versionInstall KB5068864 and, per Microsoft guidance, ensure the latest SSU KB5070247 is approved/installed first or alongside it.
Exposure realityThe most obvious network-facing path in this bundle is RRAS, which Microsoft documents as a separate Remote Access role; Microsoft also documents TCP 1723 for RRAS/PPTP. That sharply limits exposed population versus a browser, mail gateway, or VPN appliance bug.
Disclosure timelineMicrosoft released KB5068864 on 2025-11-11. Tenable published plugin 274780 the same day and last updated it on 2026-04-03.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to HIGH (7.6/10)

The decisive factor is reachability friction: the bundle's scariest bugs do not map to 'every missing Server 2016 box is remotely ownable from the Internet.' The practical remote path narrows quickly to RRAS-enabled or parser-exposed hosts, which keeps this below CRITICAL even though the bundle contains a 9.8-rated CVE.

HIGH Plugin metadata and fixed build identification
MEDIUM Real-world exploitability of the bundled RCEs on typical enterprise Server 2016 deployments
MEDIUM Absence of public exploitation evidence

Why this verdict

  • Downward pressure: plugin-level reachability is overstated — this is a cumulative update check, not one universally reachable service bug across every host.
  • Downward pressure: RRAS is a separate role — the cleanest remote path requires Remote Access / RRAS exposure, which implies a much smaller exposed population than the full set of missing hosts.
  • Downward pressure: no KEV / no strong exploitation evidence — I found no CISA KEV listing or vendor-confirmed active exploitation for the representative RCEs.
  • Upward pressure: there is still real remote-code-exec content hereCVE-2025-60724 is scored 9.8 by Microsoft and the bundle also includes CVE-2025-64678, so exposed edge cases deserve front-of-queue handling.
  • Upward pressure: post-compromise value is high — even where remote reach is narrow, the included EoP set makes these excellent attacker follow-on bugs once any foothold exists.

Why not higher?

I am not calling this CRITICAL because the attack chain is not broadly Internet-wormable across the full vulnerable population. The strongest remote path depends on specific role exposure or content-processing conditions, and I found no active exploitation signal that would justify an emergency-everything response.

Why not lower?

I am not dropping this to MEDIUM because the bundle contains bona fide RCE material, including a Microsoft-scored 9.8 bug and an RRAS RCE relevant to real enterprise server roles. If you have even a small number of externally reachable RRAS or content-ingesting Server 2016 systems, the downside is too large for backlog treatment.

05 · Compensating Control

What to do — in priority order.

  1. Restrict RRAS exposure — Block or tightly allowlist TCP 1723 and related VPN exposure paths on Server 2016 systems that do not absolutely need them. For a HIGH verdict, deploy this compensating control within 30 days; do it first on Internet-facing and partner-facing systems.
  2. Disable unused Remote Access roles — Remove or disable RRAS / Remote Access where the service is not actively required. This shrinks the only clearly documented network-facing attack surface in the bundle and should be completed within 30 days on nonessential systems.
  3. Prioritize parser-facing servers — Move servers that ingest untrusted files, images, Office content, or application uploads to the top of the queue because the Graphics Component RCE is only dangerous where untrusted content actually reaches the parser. Apply access restrictions or workflow isolation within 30 days while patching proceeds.
  4. Lean on EDR preventions — Ensure exploit protection, memory protection, PowerShell logging, and service-creation detections are enforced on these hosts. This does not remove the bug, but it materially raises attacker failure rates in the post-execution stage and should be verified within 30 days.
What doesn't work
  • Approving only KB5068864 in WSUS without the prerequisite SSU KB5070247 is not a control; Microsoft explicitly says the cumulative update may not install correctly without the latest SSU.
  • Assuming 'Windows Firewall is on' helps is sloppy; if RRAS or the application path is intentionally published, the firewall is already allowing the dangerous traffic.
  • Relying on generic perimeter AV does not stop memory corruption in a legitimately exposed Windows service or parser path.
06 · Verification

Crowdsourced verification payload.

Run this on the target Windows host or via your remote management tool. Invoke it with powershell.exe -ExecutionPolicy Bypass -File .\check-kb5068864.ps1; local admin is helpful for consistent hotfix enumeration, but standard read access is usually enough because the script falls back to registry build checks.

noisgate-verify.ps1
POWERSHELLREAD-ONLYSAFE
# check-kb5068864.ps1

# Verifies whether a Windows 10 1607 / Windows Server 2016 host is patched for KB5068864

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN


$ErrorActionPreference = 'Stop'

function Write-Result {
    param(
        [string]$Status,
        [string]$Message,
        [int]$Code
    )
    Write-Output "$Status - $Message"
    exit $Code
}

try {
    $cv = Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
    $productName = [string]$cv.ProductName
    $releaseId = [string]$cv.ReleaseId
    $displayVersion = [string]$cv.DisplayVersion
    $currentBuild = [int]$cv.CurrentBuildNumber
    $ubr = [int]$cv.UBR
    $buildString = "$currentBuild.$ubr"

    $isServer2016 = $productName -match 'Windows Server 2016'
    $isWin10_1607 = ($productName -match 'Windows 10') -and (($releaseId -eq '1607') -or ($displayVersion -eq '1607') -or ($currentBuild -eq 14393))

    if (-not ($isServer2016 -or $isWin10_1607)) {
        Write-Result 'UNKNOWN' "Host is '$productName' build $buildString, not Windows 10 1607 / Windows Server 2016." 2
    }

    # Preferred check: installed hotfix

    $kbInstalled = $false
    try {
        $hotfix = Get-HotFix -Id 'KB5068864' -ErrorAction Stop
        if ($hotfix) { $kbInstalled = $true }
    } catch {
        $kbInstalled = $false
    }

    # Fallback check: cumulative build number

    $buildPatched = $false
    if ($currentBuild -gt 14393) {
        $buildPatched = $true
    } elseif ($currentBuild -eq 14393 -and $ubr -ge 8594) {
        $buildPatched = $true
    }

    if ($kbInstalled -or $buildPatched) {
        $why = if ($kbInstalled) { 'KB5068864 is installed.' } else { 'OS build is at or above 14393.8594.' }
        Write-Result 'PATCHED' "$productName build $buildString. $why" 0
    } else {
        Write-Result 'VULNERABLE' "$productName build $buildString is below 14393.8594 and KB5068864 was not found." 1
    }
}
catch {
    Write-Result 'UNKNOWN' ("Verification failed: " + $_.Exception.Message) 2
}
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not chase this as a blanket 'Critical Windows zero-day' event. Query for Windows 10 1607 / Server 2016 hosts below 14393.8594, then immediately separate RRAS-enabled, Internet-facing, and untrusted-content-processing systems from the rest; for those exposed subsets, restrict RRAS and related ingress first and complete that containment within 30 days under the noisgate mitigation SLA, then complete rollout of KB5068864 plus SSU KB5070247 across the affected fleet within 180 days under the noisgate remediation SLA. Generic non-exposed hosts can stay in the regular monthly Windows patch lane, but exposed RRAS boxes belong at the front of it.

Sources

  1. Tenable Plugin 274780
  2. Microsoft Support - KB5068864
  3. NVD - CVE-2025-60724
  4. NVD - CVE-2025-64678
  5. Microsoft Learn - Remote Access role
  6. Microsoft Learn - Network port requirements
  7. CISA Known Exploited Vulnerabilities Catalog
  8. GitHub Advisory - CVE-2025-60724
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.