Threat Watch

Critical Microsoft Hyper-V Bug Could Have Long-Time Effects

Technical details are now available for a vulnerability that affects Hyper-V, Microsoft’s native hypervisor for creating virtual machines on Windows systems and in the Azure cloud computing environment. Currently tracked as CVE-2021-28476, the security issue has a critical severity score of 9.9 out of 10. Exploiting it on unpatched machines can have a devastating impact as it allows crashing the host (denial of service) or executing arbitrary code on it. The bug is in Hyper-V’s network switch driver (vmswitch.sys) and affects Windows 10 and Windows Server 2012 through 2019. It emerged in a build from August 2019 and received a patch earlier this year in May. Public details about the flaw are scarce now but in a blog post today, researchers Peleg Hadar of SafeBreach and Ophir Harpaz of Guardicore explain where the fault is and why it is exploitable. The two researchers found the bug together and disclosed it privately to Microsoft. The flaw stems from the fact that Hyper-V’s virtual switch (vmswitch) does not validate the value of an OID (object identifier) request that is intended for a network adapter (external or connected to vmswitch). An OID request can include hardware offloading, Internet Protocol security (IPsec), and single root I/O virtualization (SR-IOV) requests. An attacker successfully leveraging this vulnerability needs to have access to a guest virtual machine (VM) and send a specially crafted packet to the Hyper-V host. The result can be either crashing the host – and terminating all the VMs running on top of it, or gaining remote code execution on the host, which gives the attacker complete control over it and the attached VMs. While the Azure service is safe from this issue, some local Hyper-V deployments are likely still vulnerable as not all admins update Windows machines when patches come out. Harpaz told reporters that vulnerabilities that remain unpatched for years on machines in enterprise networks are a common encounter for Guardicore. One of the most common examples is EternalBlue that became known in April 2017 – patched a month earlier but still leveraged in the destructive WannaCry and NotPetya cyberattacks.


One of the best methods to mitigate software threats is to download and apply manufacturer security patches as they become available. Enterprises should have dedicated IT support for monitoring vendor security notifications, testing to validate the patches, and scheduling deployment of patches in production. It’s also important for security teams to be aware of vulnerabilities so that attempts to exploit them can be detected before or even after patches have been rolled out. Especially for attacks that require internal network access, detecting attempts to exploit vulnerabilities can lead to discovery of an attacker with an initial foothold on an edge device, before they expand their access to more critical systems.