CRITICALCVSS9.9

|CVE-2021-28476|Auth: none|Reboot: required|Manual only

KB5003209: Windows Server 2012 R2 Security Update (May 2021)

A guest virtual machine can break out of Hyper-V and execute code on the host operating system by sending a single crafted packet.

Published May 11, 2021 · Updated May 21, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker with any code execution inside a Hyper-V guest VM can send a crafted RNDIS packet over VMBus and either crash the host (taking down every VM on it) or execute code on the host kernel. Once on the host, the attacker controls every guest on the same hypervisor and any resources the host can reach.

How the attack works

Hyper-V is the Windows hypervisor — the layer that isolates guest VMs from the host and from each other. The virtual switch component (vmswitch.sys) routes network traffic between guests and the host. A failure to validate Object Identifier (OID) requests in vmswitch lets a guest force the host kernel to read from arbitrary memory addresses, which is enough to crash the host (DoS) or execute attacker-controlled code on it (full escape).

Am I affected?Quick check

Probably yes if any of these apply:

●Any Windows Server running the Hyper-V role with untrusted or potentially-compromised guests

●Multi-tenant virtualisation hosts

Affected OS versions

Windows Server 2012 R2

Real-world incidentsWhat we've seen

A managed-hosting provider runs customer workloads on shared Hyper-V hosts. One tenant is compromised through phishing; the attacker installs the public PoC inside the customer's VM, crashes the host as a test, then escapes to host kernel context. They now control every other customer's VM on that physical box. This is the worst-case scenario for any virtualised environment and has been demonstrated possible on Azure infrastructure.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5003209

Manual remediation steps

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5003209 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait
# (or use your standard WSUS / SCCM / Intune deployment for KB5003209)

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5003209

Download the MSU for Windows Server 2012 R2 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5003209
[System.Environment]::OSVersion.Version

If Get-HotFix returns nothing for KB5003209, the install did not take — re-run from a different channel.

Rollback

wusa.exe /uninstall /kb:5003209 /quiet /norestart
# Reboot after uninstall

Removing a cumulative update also removes every fix it delivered — prefer rolling forward.

Notes

This entry covers Windows Server 2012 R2 specifically (KB5003209). Other Windows Server versions have their own KB for CVE-2021-28476.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28476 and NVD https://nvd.nist.gov/vuln/detail/CVE-2021-28476.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2021-28476 ↗ MSRC Advisory ↗ NVD ↗ KBKB5003209