KB5075970: Windows Server 2012 R2 Security Update

KB5075970 is the February 10, 2026 monthly rollup for Windows Server 2012 R2 ESU. Tenable plugin 298555 flags hosts missing that rollup and ties it to multiple CVEs, most importantly CVE-2026-21513 in MSHTML plus several local privilege escalation bugs such as CVE-2026-21246, CVE-2026-21235, CVE-2026-21508, and CVE-2026-21533. In plain English: an attacker can use a crafted file or web/navigation path to get code running, then use local EoP bugs to turn foothold into SYSTEM on an unpatched 2012 R2 host.

The vendor labeling is easy to misread here. Tenable's plugin severity is high, not critical, while Tenable VPR escalates it because the rollup contains a KEV-listed, actively exploited zero-day (CVE-2026-21513). That said, for a 10,000-host enterprise this still does not behave like an indiscriminate unauthenticated network worm on every server: the dominant path needs user interaction and/or a post-compromise local stage, which sharply narrows real-world reach even though the consequences on the hosts that *are* used by admins are ugly.

Why this verdict

• Upward pressure: KEV + live exploitation. CVE-2026-21513 is not theoretical; CISA KEV and Akamai's analysis say attackers are already using it.
• Downward pressure: attacker position still matters. The main path needs a person or prior foothold to trigger MSHTML content, which means this is not a broadcast-grade service exploit against every server.
• Downward pressure: narrow exposed population. In real enterprises, only a fraction of 2012 R2 servers are interactive enough for this to matter immediately: admin jump servers, RDS hosts, and a depressing number of legacy dual-use boxes.
• Upward pressure: privilege-escalation bundle. Once code lands locally, the same rollup closes multiple local EoP paths that can convert a small foothold into full host takeover.
• Upward pressure: legacy OS economics. 2012 R2 estates are often the least instrumented and least cleanly segmented servers in the environment, so when this hits the wrong box, containment is usually worse than on modern builds.

Why not higher?

Because the practical chain is not unauthenticated remote-to-SYSTEM on a listening server process. It generally requires user interaction, content handling, or an already-established local foothold, which means a lot of ordinary back-end 2012 R2 servers are simply not reachable through the dominant attack path. If this were a wormable RDP/SMB class bug with the same exploitation evidence, it would be CRITICAL.

Why not lower?

Because the threat side is already settled: KEV-listed and exploited means defenders are racing reality, not a lab exercise. Also, the patch is cumulative: if an attacker does get execution on a legacy 2012 R2 box, the bundled local EoPs make post-exploitation easier and more damaging than a single isolated user-context flaw.

1. Block risky content on server tiers — Immediately, within hours, stop interactive browsing, email access, and untrusted file opening on Windows Server 2012 R2 admin/jump/RDS tiers because the dominant exploit path depends on user-executed content. This is your fastest risk cut while patching catches up.
2. Clamp application execution — Deploy or tighten AppLocker/WDAC/application control on 2012 R2 so .lnk, HTML-launched binaries, script hosts, and user-writable path execution are constrained. Because this is a HIGH verdict with KEV evidence, implement the control change immediately, within hours, not inside a normal 30-day window.
3. Hunt for MSHTML-to-process-launch chains — Create detections for suspicious ieframe.dll or MSHTML content leading to ShellExecuteExW, LOLBins, script interpreters, or payloads spawned from downloads/temp/network shares. Do this immediately, within hours because it catches both failed and successful exploitation attempts while the estate is still being remediated.
4. Fence legacy 2012 R2 hosts — Restrict east-west access and admin pathways to 2012 R2 systems, especially RDS and jump hosts, so a user-context foothold has fewer places to pivot. For this verdict and KEV status, put the segmentation change in place immediately, within hours where operationally possible.

Run this on the target Windows Server 2012 R2 host or through your RMM/EDR live response. Invoke with powershell.exe -ExecutionPolicy Bypass -File .\check-kb5075970.ps1; standard local read access is usually enough, but Administrator is recommended so package enumeration works reliably.

# check-kb5075970.ps1

# Purpose: Verify whether Windows Server 2012 R2 has KB5075970 installed.

# Output: VULNERABLE / PATCHED / UNKNOWN

# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=ERROR


$ErrorActionPreference = 'Stop'

function Write-Result {
    param(
        [string]$State,
        [string]$Message,
        [int]$Code
    )
    Write-Output "$State - $Message"
    exit $Code
}

try {
    $os = Get-CimInstance Win32_OperatingSystem
    $caption = $os.Caption
    $version = $os.Version

    if ($caption -notmatch 'Windows Server 2012 R2') {
        Write-Result -State 'UNKNOWN' -Message "This script is intended for Windows Server 2012 R2. Detected: $caption ($version)" -Code 2
    }

    $kbInstalled = $false
    $installMethod = @()

    # Method 1: Get-HotFix

    try {
        $hf = Get-HotFix -Id KB5075970 -ErrorAction Stop
        if ($hf) {
            $kbInstalled = $true
            $installMethod += 'Get-HotFix'
        }
    } catch {
        # ignore and continue

    }

    # Method 2: Component Based Servicing package registry

    if (-not $kbInstalled) {
        try {
            $cbsPath = 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages'
            $pkg = Get-ChildItem $cbsPath -ErrorAction Stop | Where-Object { $_.PSChildName -match 'KB5075970' }
            if ($pkg) {
                $kbInstalled = $true
                $installMethod += 'CBS Registry'
            }
        } catch {
            # ignore and continue

        }
    }

    # Method 3: DISM package listing fallback

    if (-not $kbInstalled) {
        try {
            $dism = & dism.exe /online /Get-Packages 2>$null | Select-String -Pattern 'KB5075970'
            if ($dism) {
                $kbInstalled = $true
                $installMethod += 'DISM'
            }
        } catch {
            # ignore and continue

        }
    }

    # Optional: note servicing stack prerequisite visibility

    $ssuInstalled = $false
    try {
        $ssu = Get-HotFix -Id KB5068783 -ErrorAction Stop
        if ($ssu) { $ssuInstalled = $true }
    } catch {
        try {
            $ssuPkg = Get-ChildItem 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages' -ErrorAction Stop | Where-Object { $_.PSChildName -match 'KB5068783' }
            if ($ssuPkg) { $ssuInstalled = $true }
        } catch {
            # ignore

        }
    }

    if ($kbInstalled) {
        $msg = 'KB5075970 is installed'
        if ($installMethod.Count -gt 0) {
            $msg += " (detected via: $($installMethod -join ', '))"
        }
        if ($ssuInstalled) {
            $msg += '; prerequisite SSU KB5068783 also present'
        }
        Write-Result -State 'PATCHED' -Message $msg -Code 0
    } else {
        $msg = 'KB5075970 not detected on Windows Server 2012 R2'
        if (-not $ssuInstalled) {
            $msg += '; SSU KB5068783 also not detected and may be required before install'
        }
        Write-Result -State 'VULNERABLE' -Message $msg -Code 1
    }
}
catch {
    Write-Result -State 'UNKNOWN' -Message $_.Exception.Message -Code 3
}

Sources

1. Tenable Nessus Plugin 298555
2. Microsoft Support KB5075970
3. Microsoft Update Catalog KB5075970
4. NVD CVE-2026-21513
5. CISA KEV entry for CVE-2026-21513
6. Akamai analysis of CVE-2026-21513 exploitation
7. FIRST EPSS API documentation