Executive Summary
Microsoft has recently addressed critical issues affecting Windows Server 2016 security update deployments, specifically failures related to the April 2026 cumulative update and a high-severity Remote Code Execution (RCE) vulnerability, CVE-2024-49116, in Windows Remote Desktop Services. The update failures led to repeated domain controller restarts and service instability, while the RCE vulnerability exposed systems to potential unauthenticated remote exploitation. This advisory provides a comprehensive technical breakdown of the root causes, exploitation vectors, affected product versions, and actionable mitigation strategies. While there is currently no evidence of exploitation in the wild or APT group targeting, the risk profile for unpatched systems remains high. Rescana recommends immediate action to ensure operational continuity and security posture.
Technical Information
The April 2026 cumulative security update for Windows Server 2016 (KB5082063) introduced a critical deployment issue. Administrators reported that the update failed to install on a subset of systems, particularly those functioning as domain controllers. The most severe manifestation was a persistent restart loop, rendering affected domain controllers unstable and potentially impacting Active Directory availability across enterprise environments.
Microsoft responded with an out-of-band (OOB) update, KB5091572 (OS Build 14393.9062), released on April 19, 2026. This update specifically remediates the installation failures and resolves the domain controller instability. The root cause, as detailed in Microsoft's release health documentation, was a regression in the update servicing stack that interfered with the update application process, particularly in environments with complex Active Directory topologies.
Concurrently, a critical RCE vulnerability, CVE-2024-49116, was disclosed and patched in December 2024. This vulnerability affects the Remote Desktop Gateway (RD Gateway) component of Windows Remote Desktop Services. The flaw is characterized by a use-after-free (CWE-416) and race condition (CWE-362) in the RD Gateway service, which can be triggered by unauthenticated, specially crafted network requests over TCP port 443 or UDP port 3391. Successful exploitation allows arbitrary code execution in the context of the RD Gateway service, potentially enabling lateral movement, privilege escalation, and full domain compromise.
The vulnerability is rated CVSS 8.1 (High) due to its network attack vector, lack of authentication requirements, and the criticality of the affected service in enterprise remote access scenarios. The exploit complexity is considered high, as successful exploitation requires precise timing to trigger the race condition and memory corruption.
Indicators of compromise (IOCs) for both issues include repeated domain controller restarts, failed update logs referencing KB5082063, unexpected crashes or restarts of the TSGateway.exe process, anomalous network traffic targeting RD Gateway ports, and unusual memory access patterns or crash dumps in Windows Event logs.
Detection and monitoring should focus on Windows Event Logs for update and service failures, network intrusion detection for anomalous RDP/RDS traffic, and endpoint detection and response (EDR) solutions capable of identifying memory corruption exploitation attempts. Enabling Windows Defender Exploit Guard with Attack Surface Reduction (ASR) rules for RDS is also recommended.
Exploitation in the Wild
As of June 2024, there are no confirmed reports of active exploitation of CVE-2024-49116 or the Windows Server 2016 update failures in the wild. No public proof-of-concept (POC) exploit code has been released, and no major security vendors or threat intelligence sources have observed exploitation attempts targeting these vulnerabilities. However, the critical nature and remote exploitability of CVE-2024-49116 mean that exposed systems, especially those with internet-facing RD Gateway services, are at significant risk if left unpatched.
APT Groups using this vulnerability
There is currently no evidence that any Advanced Persistent Threat (APT) groups have exploited CVE-2024-49116 or the Windows Server 2016 update failures. No attribution has been made by MITRE, the National Vulnerability Database (NVD), or leading cybersecurity vendors. The vulnerability aligns with the MITRE ATT&CK technique T1210: Exploitation of Remote Services, but no specific threat actor activity has been linked to these issues as of this advisory.
Affected Product Versions
The April 2026 update failure and the OOB fix KB5091572 primarily affect the following products:
Windows Server 2016 for x64-based Systems, Windows 10 Version 1607 for x86-based Systems, Windows 10 Version 1607 for x64-based Systems, Windows 10 LTSB for x86-based Systems, and Windows 10 LTSB for x64-based Systems.
The CVE-2024-49116 RCE vulnerability affects:
Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022 23H2, and Windows Server 2025.
Administrators should consult the Microsoft Update Catalog and Security Update Guide for the full matrix of affected builds and patch availability.
Workaround and Mitigation
For the update failure and domain controller restart issue, the immediate mitigation is to apply the OOB update KB5091572 to all affected Windows Server 2016 systems. This update is available via the Microsoft Update Catalog and should be prioritized for domain controllers to restore Active Directory stability.
For CVE-2024-49116, the primary mitigation is to apply the December 2024 security updates to all affected Windows Server systems. If immediate patching is not feasible, organizations should temporarily disable Remote Desktop Gateway services on internet-facing systems using the following PowerShell commands:
Stop-Service -Name TSGateway -Force
Set-Service -Name TSGateway -StartupType Disabled
Additionally, restrict network access to RD Gateway services using firewalls and network security groups, enable Network Level Authentication (NLA), and implement network segmentation to limit exposure of RD Gateway services to trusted networks only.
Continuous monitoring for anomalous RDS activity, deployment of EDR solutions, and regular review of Windows Event Logs are essential for early detection of exploitation attempts.
References
Microsoft Learn - Windows Message Center, KB5091572 - Microsoft Update Catalog, Microsoft Support - KB5091572, SentinelOne CVE-2024-49116 Analysis, NVD Entry for CVE-2024-49116, Microsoft Security Update Guide for CVE-2024-49116
Rescana is here for you
Rescana empowers organizations to proactively manage third-party risk and supply chain security through our advanced TPRM platform. Our continuous monitoring, automated risk assessment, and actionable intelligence help you stay ahead of emerging threats and regulatory requirements. While this advisory focuses on recent Microsoft vulnerabilities, our platform provides comprehensive visibility and control across your entire digital ecosystem. For any questions or to discuss your cybersecurity needs, our team is available at ops@rescana.com.
