Help
FortiClient
FortiClient proactively defends against advanced attacks. Its tight integration with the Security Fabric enables policy-based automation to contain threats and control outbreaks. FortiClient is compatible with Fabric-Ready partners to further strengthen enterprises’ security posture.
btan
Staff & Editor
Staff & Editor

Created on ‎07-25-2025 03:40 AM Edited on ‎07-31-2025 09:51 PM By Community Manager

Article Id 403554

Technical Tip: CVE-2025-47981 is detected on Windows 11 23H2 endpoints despite KB5062552 is already installed

Description This article describes why CVE-2025-47981 is detected on Windows 11 23H2 endpoints despite KB5062552 being installed.
Scope FortiClient v7.0, v7.2, and v7.4.
Solution

CVE-2025-47981 is a Windows OS related vulnerability.

Based on the official Microsoft Update Guide, for Windows 11 23H2, the KB article fix is KB5062552.


july-kb5-1.png

 

However, when a user performs Windows Update on a Windows 11 23H2, Microsoft's Windows Update Server is trying to push down the incorrect KB5062553 to the endpoint.

This can be checked by performing below steps:

  1. Open a PowerShell window, run the command:

 

Get-WindowsUpdateLog

 

  1. It will generate a WindowsUpdate.log in C:\Users\<username>\Desktop\WindowsUpdate.log.

     

  2. Open the WindowsUpdate.log on the Desktop using Notepad or Notepad++.

     

  3. Select 'Ctrl + F' and look for KB5062553.

     

  4. Notice that the endpoint is trying to download KB5062553 from Microsoft's Windows Update Server.

     


2025/07/21 12:56:07.9265997 8436 9268 DownloadManager Attempting to add un-encrypted version of [file:

Windows11.0-KB5062553-x64.msu] to DO job 4CBBCFF0-40D1-4AFC-9D51-DAEF195DCF98.

EncryptedDigest available: False, DecryptionInfo available: False
2025/07/21 12:56:07.9448656 8436 9268 DownloadManager Downloading from http://tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/2cf31dbf-

ac4d-435b-8bc7-5a474dfad46eP1=1753105950&P2=404&P3=2&P4=CWbGg5m06UBGSlV3RYaLoMBtE8YZi9JOO5cx%2bskkzx...

Z1iGKuN9qIx0a0UjmTGk2Hf4WIUHw%3d%3d to C:\Windows\SoftwareDistribution\Download\56859390bb4a7fe1a9d399661a5b5904\Windows11.0-KB5062553-x64.msu (852 subranges).

There is a mismatch on Microsoft's Windows Update Server, it is pushing the incorrect fix to Windows 11 23H2.

 

The user manually downloads and installs the correct KB5062552 from Microsoft, but FortiClient still detects CVE-2025-47981 on the endpoint.

 

july-kb5-3.png

 

july-kb5-4.png

 

This is because FortiClient depends on Windows' API replies to match the CVE for the KB article fix.

Microsoft's Windows Update Server replies to FortiClient that KB5062553 is the fix for the CVE (which is incorrect).

This results in a false-positive detection on a vulnerability scan.

 

Solution:

  1. Ignore the false positive detection for now (until the mismatch is addressed from the Microsoft side). As long as KB5062552 is installed on the endpoint, consider this CVE resolved.
  2. Attempt to upgrade Windows 11 23H2 to the latest Windows 11 24H2.
  3. As FortiClient relies on the official Microsoft Windows Update Agent API to obtain available updates, the API sometimes returns an unexpected result. It is worth resetting the window update component, which would be helpful to fix the issue.
Labels:
1002
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.