Fix-SeptemberCU-Permission-Problem.ps1
Alternatively you can also remove the NT Authority\system account from WSS_WPG and IIS_IUSRS local security groups of the SharePoint machines.
For more details check this article: Trending Issue: SharePoint fixes fail to install after installation of September 2025 CU
Below are the security fixes for the SharePoint OnPrem versions released this month.
SharePoint Server 2016:
- KB 5002861 – SharePoint Server 2016 (language independent)
- KB 5002862 – SharePoint Server 2016 (language dependent)
Microsoft Support recommends to install the complete April 2026 CU for SharePoint 2016 rather than individual security fixes.
SharePoint Server 2019:
- KB 5002854 – SharePoint Server 2019 (language independent)
- KB 5002856 – SharePoint Server 2019 (language dependent)
Microsoft Support recommends to install the complete April 2026 CU for SharePoint 2019 rather than individual security fixes.
SharePoint Server Subscription Edition:
- KB 5002853 – SharePoint Server Subscription Edition
This security fix is identical with April 2026 CU for SharePoint Server Subscription Edition.
Office Online Server:
- KB 5002855 – Office Online Server
Security Vulnerabilities fixed in this PU
| Vulnerability | SP 2016 | SP 2019 | SP SE | OOS | Impact | Max Severity |
|---|---|---|---|---|---|---|
| CVE-2026-20945 | x | x | x | Spoofing | Important | |
| CVE-2026-32188 | x | Information Disclosure | Important | |||
| CVE-2026-32189 | x | Remote Code Execution | Important | |||
| CVE-2026-32197 | x | Remote Code Execution | Important | |||
| CVE-2026-32198 | x | Remote Code Execution | Important | |||
| CVE-2026-32199 | x | Remote Code Execution | Important | |||
| CVE-2026-32201 | x | x | x | Spoofing | Important |
Permalink
Stefan, the service you provide here on your blog is EXTRAORDINARY, and, for the better part of a decade, I’ve relied on it for the secure and reliable operation of multiple on-premises SharePoint farms at multiple companies. I’m not looking forward to the day when you hang up your keyboard!
Permalink
Thanks Joel!
🙂
Permalink
Stefan, regarding this update is it consider to be Zero day or not? Sorry newbie here.
Permalink
Hi Abdur,
sorry, I’m not in a position or allowed to comment on security related questions.
If you have any concerns, contact your Microsoft Account Manager.
Cheers,
Stefan
Permalink
Hi,
We have noticed that after installation of April 2026 SP CU on SharePoint SE on all our 3 farms we have spotted break in SharePoint search:
On Search Service Application page in Central Administration, the following information is shown:
Searchable items All Errors
Search Application Topology
Unable to retrieve topology component health states. This may be because the admin component is not up and running.
Search does not return any results
SharePoint CU has been installed with all the best practices – stopping all the services, SP Config Wizard run at the end (without errors).
Did you guys also experience this kind of issues?
Best Regards,
Maciej
Permalink
I have seen this in the past where after I run the CU’s and then the PF Config I will then have to go into Central Administration, Security, Configure Managed Accounts, select my search service account, hit edit and do these steps: Ensure under managed accounts you have your search account, click the check box for “Change password now”, then select “use existing password” and enter your current password for the “search service account” and then hit ok. Once complete give it a few minutes and check back with your Search service application”, you should be good. This is just something i have had to do in the past. My advice comes with no guarantees in your situation but it has helped me.
Permalink
Hi Brian,
Thanks for the suggestion. Unfortunately it did not help,
I can see those two errors in ULS – regarding them, we are using NTLM only:
1)
Unable to connect to system using GetSystemClient() with constellation 0410A2. Exception: Failed to connect to system manager. SystemManagerLocations: net.tcp://XXXX/0410A2/AdminComponent1/Management
at Microsoft.Office.Server.Search.Administration.Topology.ApplicationAdminLayer.GetSystemClient(String constellationName)
at Microsoft.Office.Server.Search.Administration.Topology.ApplicationAdminLayer.ValidateSystemClientConnection(String constellationName)
2)
Application Server Administration job failed for service instance Microsoft.Office.Server.Search.Administration.SearchServiceInstance (5b81381a-ed99-479e-bef8-0f925d6f84ac). Reason: One or more errors occurred. Technical Support Details: System.AggregateException: One or more errors occurred. —> System.ServiceModel.Security.SecurityNegotiationException: A call to SSPI failed, see inner exception. —> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. —> System.ComponentModel.Win32Exception: The encryption type requested is not supported by the KDC –
— End of inner exception stack trace —
at System.Net.Security.NegoState.StartSendAuthResetSignal(LazyAsyncResult lazyResult, Byte[] message, Exception exception)
at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult)
at System.Net.Security.NegoState.StartSendBlob(Byte[] message, LazyAsyncResult lazyResult)
at System.Net.Security.NegoState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.NegotiateStream.AuthenticateAsClient(NetworkCredential credential, String targetName, ProtectionLevel requiredProtectionLevel, TokenImpersonationLevel allowedImpersonationLevel)
at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity) –
— End of inner exception stack trace — Server stack trace:
at System.ServiceModel.Channels.WindowsStreamSecurityUpgradeProvider.WindowsStreamSecurityUpgradeInitiator.OnInitiateUpgrade(Stream stream, SecurityMessageProperty& remoteSecurity)
at System.ServiceModel.Channels.StreamSecurityUpgradeInitiatorBase.InitiateUpgrade(Stream stream)
at System.ServiceModel.Channels.ConnectionUpgradeHelper.InitiateUpgrade(StreamUpgradeInitiator upgradeInitiator, IConnection& connection, ClientFramingDecoder decoder, IDefaultCommunicationTimeouts defaultTimeouts, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment
1 preamble, TimeoutHelper& timeoutHelper)1 wcfTimeout)at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message) Exception rethrown
at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.Ceres.HostController.WcfTypes.IHostController.GetHostInformation()
at Microsoft.Office.Server.Search.Administration.Topology.SearchTopologyUtils.ConnectHostController(String serverName, TimeSpan nodeActionTimeout, TimeSpan nodeActionSleep, Nullable
at Microsoft.Office.Server.Search.Administration.SearchRuntimeServiceInstance.get_RepositoryVersion()
at Microsoft.Office.Server.Search.Administration.SearchServiceInstance.Synchronize() –
Permalink
Hi Maciej,
from the error message it seems a problem with Active Directory.
Please check this article if it covers your issue:
https://learn.microsoft.com/en-us/troubleshoot/sharepoint/security/configuration-to-support-kerberos-aes-encryption
Cheers,
Stefan
Permalink
Hi Stefan,
We are feb Patch and going to install April PU on SPSE and seems a good patch but someone mentioned that there is issue with search application so for us search is very critical so just wanted to confirm are there are issues identified for search application by this April PU if not we are good to install.
Permalink
OK, so first time since patching from SP2010 that I had to rollback a farm. Today we tried to update SPSE from July 2023 to Feb 2026. Seems the leap was too big for SharePoint.
The patch destroyed the farm:
1. Took 2 hours to complete
2. Successfully ran PSconfig
3. Sharepoint would just not start. HTTP 500 everywhere (Central Admin, all site collections)
Pinned down the error to:
Source: mssearch.exe y w3wp.exe ( App Pool web apps)
System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.SharePoint.OnPrem.Flighting.SPOnPremFlight.IsFlightEnabled(Int32 flightId)
System.UnauthorizedAccessException: Access is denied. (HRESULT: 0x80070005)
at Microsoft.SharePoint.SPGroup.InitMember()
at Microsoft.SharePoint.SPSecurity.<>c__DisplayClass60_0.b__0()
at Microsoft.SharePoint.Utilities.SecurityContext.RunAsProcess(CodeToRunElevated secureCode)
at Microsoft.SharePoint.OnPrem.Flighting.ECSSPFlightDataProvider.InitializeEnabledFlightsInfoDict()
at Microsoft.SharePoint.OnPrem.Flighting.ECSSPFlightDataProvider..cctor()
at Microsoft.SharePoint.OnPrem.Flighting.SPOnPremFlight..cctor()
at Microsoft.SharePoint.OnPrem.Flighting.SPOnPremFlight.ensureDebugFlightIdsInitialized()
at Microsoft.SharePoint.OnPrem.Flighting.SPOnPremFlight.IsFlightEnabled(Int32 flightId)
This seems to be something related to a OnPrem.Flighting.SPOnPremFlight service. No idea what that is.
So, after reading Stefan’s blog (and REALLY appreciate your help here) could the culprit had been:
I Need to upgrade to SPWFM first?
The SYSTEM account was on WSS_WPG before the update (confirmed it was). Need to remove it before patch?
Need to enble AMSI before the update?
Because i am Using Nintex?
Had to restore the VMs and all is working fine. Would you think I should:
1. Patch to August 2025 16.0.18526.20508 first and check the farm? (pre-september 2025)
2. Then jump to April 2026?
If not for this blog, would still be patching. Thanks for any pointers!
Permalink
Hi Charles,
ok here are a lot of things listed.
mssearch.exe is in no way related to 500 server errors.
The issue here is not AMSI related, not WSS_WPG related and not WFM related.
I see two exceptions: a NullReferenceException and a UnauthorizedAccessException.
It is not clear in which process these two exception occurred as you listed two.
The complete ULS log entry would have been very helpful rather than only the message part.
The UnAuthorizedAccessException seems to happen when the application pool account is being impersonated. Haven’t seen this – but it could be caused by an AV solution redirecting system calls to itself.
The NullReferenceException is very generic.
If this would be in context of a support case I would filter the ULS log for the correlate with the ID returned in the 500 server error to get a complete context of everything that has happend during the execution.
I would potentially also request request memory dumps for the two exceptions if they are in the 500 server error.
Cheers,
Stefan
Permalink
Thanks Stefan, I will make the support case with Microsoft to see this further.
I was planning in the meantime to patch Jan 2025, since they are way back on July 2023. Do you think Jan 2025 is OK or do I go, say, to July 2025?
I’m trying to avoid September 2025 and patch to a “safer” version while I check the issue with Microsoft.
Thanks,
Charles
Permalink
Hi Charles,
all these patches are very aged and even July 2025 CU is vulnerable to the zero-day-vulnerability from last year.
Microsoft recommendation is to update to the most recent CU as soon as possible.
Cheers,
Stefan
Permalink
Thanks, really appreciate the response, and your help!
Permalink
Hello, quick update regarding the upgrade issue if it helps anyone:
Patched SPSE from July 2023 to July 2025: 1.15 hours to patch each server.
Remember to patch language pack if older than 2024. When running, select repair. Otherwise it shows a schema error running the wizard.
Ran Update wizard, Reboot.
After reboot, Central Admin was down. The CA was in 2701. The installer renamed the folder from 2701 to 26602. So, I changed the binding to the new port and CA started, but this is not the correct way. I had to recreate central admin using “psconfig.exe -cmd adminvs -provision -port 26602”. Maybe the installer does not like low port numbers anymore?
Ran Config Wizard, all OK.
Now, I am thinking, how to make the “second jump” to update to a more recent CU. Should I go to march 2026? or april 2026 directly?
I have to make sure all of Stefan´s info before updating:
1. Enable AMSI
2. Use a farm account to install the CU that its not in WSS_WPG or IIS_IUSRS
3. We Don´t use SP2013 workflows. Do I still need to install SPWFM?
4. Wait until May 2026?
Thanks!