KB5002775: Enhances the AMSI Filter feature module

Description of the security update for SharePoint Server 2019: September 09, 2025 (KB5002775)

Summary
This security update resolves a Microsoft Office remote code execution vulnerability, Microsoft Word information disclosure vulnerability, and Microsoft SharePoint remote code execution vulnerability. To learn more about the vulnerabilities, see the following security advisories:

• Microsoft Common Vulnerabilities and Exposures CVE-2025-54906
• Microsoft Common Vulnerabilities and Exposures CVE-2025-54905
• Microsoft Common Vulnerabilities and Exposures CVE-2025-54897

Improvements and fixes
This security update contains improvements and fixes for the following nonsecurity issue in SharePoint Server 2019.

• To strengthen security in SharePoint Server, users in the WSS_WPG group are now restricted from running administrative processes, such as the SharePoint Products Configuration Wizard (Psconfig). For more information, see Account permissions and security settings in SharePoint Servers.
• You can now use the Test-DefenderAndAmsiWorkProperly cmdlet in SharePoint Management Shell to verify that all Windows Defender components are installed and active, and that SharePoint AMSI (Antimalware Scan Interface) integration is functioning correctly.
• In order to use workflows in SharePoint Server, you must now have the latest update for SharePoint Workflow Manager installed.
• Fixes an issue in which some characters cannot be displayed correctly in email messages if they use the GB18030 character set for outgoing email.
• Enables the automatic machine key rotation feature.
• Enhances the AMSI Filter feature module. Changes the default setting to be always on.