Important: If your current farm patch level is September 2025 CU, remove the NT Authority\system account from WSS_WPG and IIS_IUSRS local security groups of the SharePoint machines – otherwise installing the SharePoint fixes will fail.
For more details check this article: Trending Issue: SharePoint fixes fail to install after installation of September 2025 CU
Below are the security fixes for the SharePoint OnPrem versions released this month.
SharePoint Server 2016:
- KB 5002828 – SharePoint Server 2016 (language independent)
- KB 5002827 – SharePoint Server 2016 (language dependent)
Microsoft Support recommends to install the complete January 2026 CU for SharePoint 2016 rather than individual security fixes.
SharePoint Server 2019:
- KB 5002825 – SharePoint Server 2019 (language independent)
- KB 5002823 – SharePoint Server 2019 (language dependent)
Microsoft Support recommends to install the complete January 2026 CU for SharePoint 2019 rather than individual security fixes.
SharePoint Server Subscription Edition:
- KB 5002822 – SharePoint Server Subscription Edition
This security fix is identical with January 2026 CU for SharePoint Server Subscription Edition.
Office Online Server:
- KB 5002824 – Office Online Server
More information:
Please ensure to have a look at the SharePoint Patching Best Practices before applying new fixes.
Security Vulnerabilities fixed in this PU
| Vulnerability | SP 2016 | SP 2019 | SP SE | OOS | Impact | Max Severity |
|---|---|---|---|---|---|---|
| CVE-2026-20943 | x | x | x | Remote Code Execution | Important | |
| CVE-2026-20947 | x | x | x | Remote Code Execution | Important | |
| CVE-2026-20948 | x | x | Remote Code Execution | Important | ||
| CVE-2026-20950 | x | Remote Code Execution | Important | |||
| CVE-2026-20951 | x | x | x | Remote Code Execution | Important | |
| CVE-2026-20955 | x | Remote Code Execution | Critical | |||
| CVE-2026-20957 | x | Remote Code Execution | Critical | |||
| CVE-2026-20958 | x | x | x | Information Disclosure | Important | |
| CVE-2026-20959 | x | x | x | Spoofing | Important | |
| CVE-2026-20963 | x | x | x | Remote Code Execution | Important |
See the Security Update Guide below for more details about the relevant fixes:
Permalink
Hello Stefan,
How about the trending issues regarding the december CU?
If I install this PU on a system having the 2025 november CU will this fix the target system’s vulnerabilities without bringing the december issues along with it, right?
Thanks in advance,
Greg
Permalink
Hi Greg,
which December CU issues do you mean?
About the second question: SharePoint ships only cumulative updates. That means the January PU includes the complete December CU as well.
Cheers,
Stefan
Permalink
By December CU issues I meant this one
https://blog.stefan-gossner.com/2025/12/19/trending-issue-sharepoint-worker-process-crashes-with-0xc06d007e-and-0xe0434352-exceptions/#comment-52662
being relevant since I have a SP2019 environment – I should have clarified that, my apologies.
You have answered my question regardless: by installing 2026 january PU, I will also install every fix – and fault – 2025 december CU brings.
So now I have to consider if I will stay on november patch level with its security faults or install a later one with its functional faults (crashing w3wp.exe).
(In case of my SP SE environments I don’t have such a choice – since this fault was introduced with 2025 july 20 patch
https://blog.stefan-gossner.com/2025/12/19/trending-issue-sharepoint-worker-process-crashes-with-0xc06d007e-and-0xe0434352-exceptions/#comment-50042)
Permalink
Hi Greg,
this issue is not new to December CU. We have seen reports back to July 2025 CU.
Cheers,
Stefan
Permalink
Hi Stefan – we had been having the issue of failed updates from Oct25 onwards and it looks like the NT Authority\system account being in WSS_WPG was the cause, so this post has been a big help.
One thing though, as per your advice elsewhere we’ve been using your Install-SPSE_Fix.ps1 Powershell script to stop services and speed up the application of the patches. Unfortunately that wasn’t showing us the failure pop up, it effectively failed silently so each month we kept trying to run PSConfig and getting nothing updated. It was only when I went back to running the CU exe on its own that I saw the error message. Is it possible for you to update the script to catch any failure and report it in some way?
Permalink
Hi Harold,
I can look into it to see if I can catch the information that the installation failed.
A workaround right now is to modify the script and change this line:
$pInfo.Arguments = “/passive”
to this
$pInfo.Arguments = “”
The side effect is that you have to manually click through the installer but all the other benefits will remain.
Cheers,
Stefan
Permalink
It would be even better if the CU EXE returned something more informative than ‘an error was detected’
Permalink
Hi Harold,
I have updated the script. It now includes detection of failed installations and also shows more detailed error messages for common installation problems:
https://github.com/stefangossner/Install-SPSE_Fix/blob/main/Install-SPSE_Fix.ps1
I’m planning to add more logic to it to further analyze the installer logs (opatchinstall.log, sts-x-none.log and wssmui-…_MSPLOG.LOG) files to identify the reason for the installation failure.
Cheers,
Stefan
Permalink
That’s fantastic turn around, thanks very much. That’s my job for Monday queued up.
Maybe some way of scanning for common blocking issues (like group memberships or permissions) before running the CU EXE would be more effective than waiting for it to fail and getting it from the logs. Again I would have thought doing that in the CU EXE (along with more informative error messages) and having it officially supported would make more sense than a separate ‘unsupported’ script on Github (much as it is appreciated).
Permalink
Hello,
I’m in this situation:
SharePoint 2016 has KB 5002778 installed for the September 2025 patch, but KB5002777 for the language pack hasn’t been installed.
Before installing the KB5002777 language pack, do I still need to remove the NT Authority\system account from the specified groups?
Do the “Configure Service Accounts” tasks in the “Security” section of the SharePoint Central Administration should always be performed, as described in the article https://blog.stefan-gossner.com/2025/09/11/trending-issue-sharepoint-fixes-fail-to-install-after-installation-of-september-2025-cu/?
Or can I simply remove the NT Authority\system account from the WSS_WPG and IIS_IUSRS local security groups on the SharePoint machines?
Permalink
Hi Vincenzo,
Configure Service Accounts operations are no longer necessary as the relevant code change introduced in September CU has been rolled back in October CU.
Just removing the system account from the WSS_WPG and IIS_IUSRS group or removing the “Deny Write” ACE from the ACLs for the …..\14\template\layouts and …..\16\template\layouts directory is sufficient.
Cheers,
Stefan
Permalink
Hi,
I’m running SP2019 16 0 10395 20001, do you recommend upgrading to the latest CU ?
Regards
Permalink
Hi Sam,
this is February 2023 CU.
This is an unsupported patch level – yes, please upgrade to a current CU to ensure that you have a supported environment.
Cheers,
Stefan