IRONSMITHINTEL
CRITICALCVSS9.0
|CVE-2022-21901|Auth: none|Reboot: required|Manual only

KB5009557: Windows Server 2019 Security Update (January 2022)

An attacker on one Hyper-V guest VM can interact with processes inside another guest on the same host — a partial guest-to-guest isolation breach.

Published Jan 11, 2022 · Updated May 21, 2026
Why patchRisk explained in plain English
Worst-case scenarioIf unpatched

An attacker with any code execution inside one Hyper-V guest can interact with processes inside other guests on the same physical Hyper-V host, bypassing the isolation that is supposed to keep tenants separate. The exact scope of the cross-guest interaction depends on what Hyper-V capabilities are reachable, but the security guarantee being violated is fundamental.

How the attack works

Hyper-V is the Windows hypervisor that isolates guest VMs from each other and from the host. A flaw in Hyper-V's privilege boundary lets an attacker who already has code execution inside one guest VM interact with processes hosted in another guest on the same physical host. This is not a full guest-to-host escape — it is a guest-to-guest isolation breach.

Am I affected?Quick check

Probably yes if any of these apply:

Hyper-V hosts running guest VMs with mixed trust levels (multi-tenant, dev/prod mixed)

Affected OS versions

Windows Server 2019
Real-world incidentsWhat we've seen

A multi-tenant Hyper-V host runs different customers' workloads side by side. One customer is compromised through their own application stack; the attacker uses the Hyper-V EoP to reach into another customer's VM on the same physical host, read process memory, and steal credentials. The shared-host trust model is broken.

How to patch

Manual download

For air-gapped servers or out-of-band deployment. Microsoft Update Catalog returns every OS-version variant of this update.

↗ Microsoft Update CatalogKB5009557

Manual remediation steps

Prerequisites

    1
    Local administrator on the target server
    1
    Maintenance window with reboot capacity
    1
    Current backup or snapshot you can roll back to
    1
    Network path to Windows Update / WSUS / Microsoft Update Catalog

Estimated time

20–40 minutes per server (download + install + reboot)

Reboot required

Yes — install the cumulative update and reboot the server before the fix is active.

Steps

1. Confirm the server is missing the patch

Get-HotFix -Id KB5009557 -ErrorAction SilentlyContinue

2. Install the update — pick one channel

Windows Update / WSUS (preferred):

UsoClient ScanInstallWait

Manual download (offline / air-gapped):

1
Open Microsoft Update Catalog: https://catalog.update.microsoft.com/Search.aspx?q=KB5009557
2
Download the MSU for Windows Server 2019 that matches your architecture (x64).
3
Copy the .msu file to the server and run as Administrator.

3. Reboot

Restart-Computer -Force

Verification

Get-HotFix -Id KB5009557
[System.Environment]::OSVersion.Version

Rollback

wusa.exe /uninstall /kb:5009557 /quiet /norestart

Notes

    1
    This entry covers Windows Server 2019 specifically (KB5009557). Other Windows Server versions have their own KB for CVE-2022-21901.
    1
    Reference advisories: MSRC https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21901 and NVD https://nvd.nist.gov/vuln/detail/CVE-2022-21901.
PowerShell automationComing soon

No tested PowerShell script for this entry yet. We’re prioritising automation based on user demand.

References

CVE-2022-21901MSRC AdvisoryNVDKBKB5009557