Executive Summary

Microsoft has recently released emergency updates for Windows Server aimed at resolving a critical issue related to Windows containers operating under Hyper-V isolation mode. This vulnerability, while not yet associated with known exploits in the wild, poses a significant risk of operational disruption due to container startup failures. This report provides an in-depth analysis of the issue, along with recommendations for mitigation and references for further reading.

Technical Information

On April 17, 2025, Microsoft identified a critical issue affecting Windows containers running under Hyper-V isolation mode. The problem arises when there is a mismatch in the update level between the containers and their hosting utility virtual machine (UVM), leading to compatibility issues with system files and resulting in container startup failures. Affected versions include Windows Server 2019, Windows Server 2022, and Windows Server 2025. This issue emphasizes the importance of maintaining synchronization between system updates and highlights potential vulnerabilities in containerized environments that rely heavily on seamless operations. Although no specific CVE has been assigned, Microsoft's issuance of emergency updates underscores the gravity of the issue.

Exploitation in the Wild

To date, there have been no reports indicating that this vulnerability has been exploited in the wild. The primary concern remains the operational disruption caused by the failure of containers to start, which could have significant implications for businesses reliant on these systems for critical services.

APT Groups using this vulnerability

Currently, there are no known Advanced Persistent Threat (APT) groups exploiting this issue. The lack of evidence of exploitation suggests that the vulnerability has not yet been targeted by malicious actors. However, the potential for future exploitation cannot be ruled out, emphasizing the need for vigilance and prompt application of the provided updates.

Affected Product Versions

The affected product versions include Windows Server 2019, Windows Server 2022, and Windows Server 2025. These versions are susceptible to compatibility issues with system files when the update levels of containers and their hosting UVM do not match, leading to startup failures.

Workaround and Mitigation

Microsoft has responded with out-of-band (OOB) updates to address the issue. For Windows Server 2025, the update is KB5059087, and for Windows Server 2022, the updates are KB5059092 and KB5059091. These updates are not distributed through Windows Update and must be manually downloaded and installed from the Microsoft Update Catalog. Microsoft provides guidance on using the Deployment Image Servicing and Management (DISM.exe) tool for applying these updates effectively. Organizations are advised to prioritize the installation of these updates to mitigate the risk of container startup failures and maintain operational stability.

References

• BleepingComputer Article
• Microsoft Update Catalog for manual download of updates: https://www.catalog.update.microsoft.com/

Rescana is here for you

At Rescana, we assist organizations in mitigating risks associated with third-party software through our comprehensive Third Party Risk Management (TPRM) platform. Our solutions help identify potential vulnerabilities and ensure compliance with industry standards, safeguarding your organization's digital infrastructure. Should you have any questions about this report or need further assistance, please do not hesitate to contact our cybersecurity team at ops@rescana.com.