Back to Intelligence

Windows 10 KB5087544: ESU Release, RDP Warning Fixes, and Critical January 2025 Vulnerability Remediation

SA
Security Arsenal Team
May 12, 2026
5 min read

Microsoft has released KB5087544, a critical Extended Security Update (ESU) for Windows 10 versions 21H2 and 22H2. For organizations still operating on Windows 10, this update is non-negotiable. It addresses the January 2025 Patch Tuesday vulnerabilities, including a Remote Code Execution (RCE) flaw in the Windows Remote Desktop Gateway (CVE-2025-21210).

Beyond the critical security patches, this update resolves a usability issue causing erroneous warnings during Remote Desktop sessions—a friction point that often leads users to bypass security controls, inadvertently increasing attack surface. Defenders must prioritize this ESU to maintain compliance and shield perimeter-exposed RDP infrastructure from active exploit attempts.

Technical Analysis

Affected Products & Platforms:

  • Windows 10 Version 21H2 (ESU only)
  • Windows 10 Version 22H2 (ESU only)
  • Note: Standard support for Windows 10 ended in October 2025. This update is strictly for environments with paid ESU subscriptions.

Key Vulnerabilities (January 2025 Patch Tuesday):

  • CVE-2025-21210 (CVSS 8.8): Windows Remote Desktop Gateway Remote Code Execution. This is the most critical item in this release. The RD Gateway acts as a proxy, allowing external users to access internal RDP sessions. An unauthenticated attacker could exploit this vulnerability to execute arbitrary code on the RD Gateway server with SYSTEM privileges.
  • CVE-2025-21176 (CVSS 7.5): HTTP.sys Remote Code Execution. A vulnerability in the HTTP protocol stack (HTTP.sys) could allow remote code execution if an attacker sends a specially crafted packet to a Windows server running IIS.

Issue with Remote Desktop Warnings: Microsoft acknowledges a recent issue where new Remote Desktop warnings were triggering incorrectly. While not a vulnerability itself, this "warning fatigue" condition is a defensive failure. When security controls cry wolf, users train themselves to click "Ignore" or "Connect Anyway," desensitizing them to legitimate threat indicators. KB5087544 corrects the logic governing these prompts.

Exploitation Status: While CVE-2025-21210 has not yet been added to the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing, RDP services are historically the top vector for ransomware (e.g., LockBit, Conti). Given the public disclosure of the patch, reverse engineering of the fix is imminent. The window between patch release and widespread weaponization is shrinking; assume active scanning for RD Gateway vulnerabilities is already underway.

Detection & Response

This section provides detection logic to verify the deployment of KB5087544 across your fleet and to identify potential exploitation attempts of the associated vulnerabilities prior to patching.

SIGMA Rules

YAML
---
title: Windows 10 ESU KB5087544 Installation Verification
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects the successful installation of the Windows 10 KB5087544 update via Windows Update Agent logs.
references:
  - https://support.microsoft.com/kb/5087544
author: Security Arsenal
date: 2025/01/15
tags:
  - configuration\ n  - system.patching
logsource:
  product: windows
  service: update-operations
detection:
  selection:
    EventID: 19
    UpdateTitle|contains: 'KB5087544'
  condition: selection
falsepositives:
  - None
level: high
---
title: Potential Exploitation of CVE-2025-21210 (RDP Gateway)
id: 9f8e7d6c-5b4a-3c2d-1e0f-9a8b7c6d5e4f
status: experimental
description: Detects suspicious process execution patterns associated with RDP Gateway exploitation or web shell activity on RD Gateway servers.
references:
  - https://attack.mitre.org/techniques/T1190/
author: Security Arsenal
date: 2025/01/15
tags:
  - attack.initial_access
  - attack.exploit_public_facing_application
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    ParentImage|endswith: '\tsgateway.exe'
    Image|endswith:
      - '\cmd.exe'
      - '\powershell.exe'
      - '\pwsh.exe'
  condition: selection
falsepositives:
  - Legitimate administrative debugging (rare)
level: critical

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for systems missing KB5087544 (Requires Update or ConfigurationData ingestion)
// This query checks for the presence of the update
let PatchID = "KB5087544";
DeviceProcessEvents
| where FileName in ("wusa.exe", "dism.exe")
| where ProcessCommandLine contains PatchID
| project Timestamp, DeviceName, ProcessCommandLine, InitiatingProcessAccountName
| union (
    UpdateSummary
    | where Title contains PatchID or KBId in (PatchID)
    | project Timestamp, DeviceName, Status = "Installed"
)
| distinct Timestamp, DeviceName, Status
| sort by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for KB5087544 presence by checking the uninstall registry key or package store
-- This verifies if the patch package physically exists on the system
SELECT OSPath, Mtime, Size
FROM glob(globs="C:\Windows\servicing\Packages\Package_for_KB5087544*.mum")
LIMIT 10

Remediation Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    Remediation Script for KB5087544
.DESCRIPTION
    Checks for the presence of KB5087544 and attempts installation via WUSA if missing.
    Requires Administrator privileges.
#>

$KBNumber = "KB5087544"
$UpdatePath = "C:\Windows\Temp\$KBNumber.msu" # Assumes MSU has been staged or downloaded

Write-Host "[+] Checking for $KBNumber..."

$Hotfix = Get-HotFix -Id $KBNumber -ErrorAction SilentlyContinue

if ($Hotfix) {
    Write-Host "[SUCCESS] $KBNumber is already installed." -ForegroundColor Green
    exit 0
} else {
    Write-Host "[WARNING] $KBNumber not found."
    
    # Note: In a managed environment, use WSUS/SCCM/Intune. 
    # This block demonstrates a local remediation trigger.
    if (Test-Path $UpdatePath) {
        Write-Host "[+] Attempting to install from $UpdatePath..."
        try {
            Start-Process -FilePath "wusa.exe" -ArgumentList "$UpdatePath /quiet /norestart" -Wait -NoNewWindow
            Write-Host "[SUCCESS] Installation initiated. Reboot may be required." -ForegroundColor Cyan
        } catch {
            Write-Host "[ERROR] Installation failed: $_" -ForegroundColor Red
        }
    } else {
        Write-Host "[INFO] Update file not found at $UpdatePath. Please deploy via WSUS/Intune." -ForegroundColor Yellow
    }
}

Remediation

1. Immediate Patching: Deploy KB5087544 immediately to all Windows 10 endpoints and servers covered by ESU agreements. Verify deployment status via your endpoint management solution (Intune, SCCM, or WSUS).

2. Configuration Review: Since the update resolves RDP warning issues, verify that your Remote Desktop Gateway security settings are configured to enforce "Require strong authentication" and restrict access via Network Level Authentication (NLA).

3. Vendor Advisory: Refer to the official Microsoft Security Update Guide for January 2025 for the complete list of addressed CVEs.

4. CISA Deadlines: Monitor the CISA Known Exploited Vulnerabilities Catalog. While CVE-2025-21210 is not yet listed, federal agencies are generally required to patch critical CVEs within specified timeframes. Treat this as an emergency patch for all internet-facing RDP infrastructure.

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

cvezero-daypatch-tuesdayexploitvulnerability-disclosuremicrosoftwindows-10kb5087544

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action