CRITICALCVSS9.8

|CVE-2021-43215|Auth: none|Reboot: required|Manual only

KB5008263: Windows Server 2012 R2 Security Update (December 2021)

A crafted request to the Internet Storage Name Service can give an attacker code execution on any Windows iSNS server.

Published Dec 14, 2021 · Updated May 21, 2026

Why patchRisk explained in plain English

Worst-case scenarioIf unpatched

An attacker who can reach the iSNS Server endpoint on a Windows host with the role installed can send a crafted request and execute code as the iSNS service. From there the attacker can manipulate iSCSI discovery (redirecting initiators to attacker-controlled targets), harvest credentials, or pivot to the storage fabric the iSNS server coordinates.

How the attack works

iSNS (Internet Storage Name Service) is the directory protocol iSCSI uses to discover and manage iSCSI targets — used in storage networks that rely on iSCSI for block-level storage. The Windows iSNS Server has a boundary error in how it parses incoming iSNS requests; a crafted request triggers memory corruption and lets an attacker execute code in the iSNS service context.

Am I affected?Quick check

Probably yes if any of these apply:

●Windows Servers running the Internet Storage Name Service (iSNS) role

●Datacentres relying on iSCSI for block storage

Affected OS versions

Windows Server 2012 R2

Real-world incidentsWhat we've seen

A datacentre uses iSCSI for SAN storage, with a Windows-based iSNS server coordinating discovery. An attacker who reaches the storage management network sends a crafted iSNS request and lands code in the iSNS service. From that pivot they can redirect storage discovery and attack the SAN itself.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5008263

Manual remediation steps

Prerequisites

Local administrator on the target server

Maintenance window with reboot capacity

Current backup or snapshot you can roll back to

Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5008263 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5008263

Download the MSU for Windows Server 2012 R2 that matches your architecture (x64).

Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5008263
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5008263 /quiet /norestart

Notes

This entry covers Windows Server 2012 R2 specifically (KB5008263). Other Windows Server versions have their own KB for CVE-2021-43215.

Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43215 and NVD https://nvd.nist.gov/vuln/detail/CVE-2021-43215.

PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

↗ CVE-2021-43215 ↗ MSRC Advisory ↗ NVD ↗ KBKB5008263