Microsoft has released a security update for a denial-of-service vulnerability in Windows Hyper‑V, cataloged as CVE‑2025‑47999, that lets an attacker on an adjacent network crash virtualisation hosts and disrupt every guest VM running on them. The patch closes a missing synchronisation flaw (CWE‑820) in the hypervisor’s internals – a race condition that can be triggered with low privileges and no user interaction, according to the official advisory and the National Vulnerability Database.

Administrators and cloud operators should treat this medium‑severity bug as a operational priority, especially if Hyper‑V is the backbone of their server infrastructure. Because an attacker only needs network adjacency to weaponise the bug, the flaw poses a serious availability risk in multi‑tenant environments, management VLANs, and any network where a host and its VMs share a virtual switch.

What the vulnerability actually is

Missing synchronisation bugs are concurrency defects: two or more code paths try to access a shared resource at the same time without proper locking, and the result can be memory corruption, deadlocks, or, as in this case, a service crash. Microsoft’s advisory and public trackers describe CVE‑2025‑47999 precisely that way – a synchronisation gap in the Hyper‑V stack that a locally adjacent, authorised attacker can exploit to cause a denial of service (DoS).

The CVSS v3.1 vector tells the story: AV:A/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H. The attack vector is Adjacent Network (AV:A), meaning the attacker must be on the same physical‑ or logical‑layer network as the target. That is wider than “local” but narrower than “remote.” The attack complexity is low (AC:L), and only low privileges are required (PR:L) – for example, a limited user account or a compromised VM on the same host. No user interaction is needed (UI:N). The impact is confined to availability (A:H), so the attacker can interrupt service but cannot steal data or modify the system.

The resulting base score is 6.8 (Medium). While not as alarming as a remote code execution, the operational blast radius of a Hyper‑V host crash can easily turn a medium‑severity bug into a high‑impact incident.

Affected platforms – check your builds

The NVD and Microsoft’s advisory list a broad set of Windows client and server editions where Hyper‑V is present. All versions below a specific build number are vulnerable; applying the update bumps the host to a fixed build. The table below summarises the affected families and their patched thresholds:

Platform Versions affected Fixed build (≥)
Windows 10 1607 (x64) 10.0.14393.0 – before 10.0.14393.8246 10.0.14393.8246
Windows 10 1809 (x64) 10.0.17763.0 – before 10.0.17763.7558 10.0.17763.7558
Windows 10 21H2 (x64) 10.0.19044.0 – before 10.0.19044.6093 10.0.19044.6093
Windows 10 22H2 (x64) 10.0.19045.0 – before 10.0.19045.6093 10.0.19045.6093
Windows 11 22H2 (ARM64, x64) 10.0.22621.0 – before 10.0.22621.5624 10.0.22621.5624
Windows 11 22H3 (ARM64) 10.0.22631.0 – before 10.0.22631.5624 10.0.22631.5624
Windows 11 23H2 (x64) 10.0.22631.0 – before 10.0.22631.5624 10.0.22631.5624
Windows 11 24H2 (ARM64, x64) 10.0.26100.0 – before 10.0.26100.4652 10.0.26100.4652
Windows Server 2016 10.0.14393.0 – before 10.0.14393.8246 10.0.14393.8246
Windows Server 2016 (Server Core) 10.0.14393.0 – before 10.0.14393.8246 10.0.14393.8246
Windows Server 2019 10.0.17763.0 – before 10.0.17763.7558 10.0.17763.7558
Windows Server 2022 10.0.20348.0 – before 10.0.20348.3932 10.0.20348.3932
Windows Server 2022 23H2 10.0.25398.0 – before 10.0.25398.1732 10.0.25398.1732
Windows Server 2025 10.0.26100.0 – before 10.0.26100.4652 10.0.26100.4652

Derived from NVD CPE data and Microsoft’s Security Update Guide.

A quick PowerShell check (Get-ComputerInfo -Property “OsBuildNumber”) or a glance at winver will reveal your current build. Cross‑reference it with the numbers above; anything lower than the fixed build needs the patch.

A note on CVE numbering

Community discussion and external trackers confirm that the vulnerability was initially circulated as CVE‑2025‑49751 in some reports. That identifier does not exist in authoritative databases. The correct, assigned CVE is CVE‑2025‑47999. Organisations that have been scanning for CVE‑2025‑49751 should immediately switch to the proper ID to ensure their vulnerability management tools pick up the correct advisory and patches.

Why Hyper‑V DoS still stings

Even though the bug only allows a crash, Hyper‑V is rarely an inert component. In many enterprises it underpins hundreds of workloads. A host crash can:
- Instantly disconnect all guest VMs, halting databases, application servers, and user sessions.
- Trigger unplanned failovers in clustering setups, placing extra stress on remaining nodes.
- Require manual intervention – forced reboots, VM state recovery, sometimes corrupted checkpoints.
- In multi‑tenant clouds or hosting, a single compromised tenant on the same subnet could cripple co‑tenants, causing financial and reputational damage.

Attackers also use DoS tactically – as a smokescreen for data exfiltration, as a way to force administrators to open additional maintenance channels, or simply to erode trust. The fact that an exploit requires only network adjacency makes it an appealing tool for anyone who can gain a foothold on the same broadcast domain.

Immediate mitigation: Patch first, segment second

The only complete fix is Microsoft’s security update. Administrators should apply it through Windows Update, WSUS, the Microsoft Update Catalog, or their enterprise patch management pipeline. The advisory pages on MSRC and NVD both link to the download and deployment guidance.

If you cannot patch within 72 hours, compensating controls can lower the risk:

  1. Isolate Hyper‑V management and VM traffic – Move host management interfaces, live migration networks, and any host‑only virtual switches to dedicated VLANs with strict access controls. Ensure that tenant or user networks are not adjacent.
  2. Remove unneeded network bridges – Disable any guest‑host bridging that is not essential. If a VM doesn’t need to talk directly to the host, block that path.
  3. Harden access – Restrict who can authenticate to the Hyper‑V host. Enable multi‑factor authentication for administrative accounts and review local user accounts.
  4. Inventory and audit – Use SCCM, Intune, or a simple WMI script to list every Hyper‑V host and its build number. Flag any that are below the fixed build.
  5. Monitor for anomalies – Increase logging on Hyper‑V hosts. Watch for vmms.exe crashes, unexpected host reboots, and mass VM state changes. If you run a SIEM, create correlation rules for these events.
  6. Plan your rollout – Test the patch in a staging environment that mirrors your production Hyper‑V configuration (live migration, checkpoints, virtual switches). Validate that core operations work, then push the update to production rings.

Detection and forensic clues

Because the bug is a race condition, there may be no clean “exploit artifact.” The most reliable indicators are symptoms of instability:
- Windows System log entries showing “The Hyper‑V Virtual Machine Management service terminated unexpectedly.”
- Application log errors referencing WMI or Hyper‑V VMMS failures.
- Cluster logs evidencing simultaneous node crashes or heartbeat loss.
- Sudden, uncommanded host reboots.
- Performance counter spikes (CPU, memory, or virtual switch I/O) just before a crash.

If you suspect an attack, capture memory dumps of the Hyper‑V management service (vmms.exe) and preserve the host’s event logs as close to the incident as possible. Short of a full forensic reversal, correlating the timing of network traffic with the crash window can help confirm exploitation.

Longer‑term hardening

Patching CVE‑2025‑47999 is the start, not the end. Organisations that rely on Hyper‑V should adopt architectural controls that limit the damage of future adjacent‑network bugs:
- Network segmentation – Maintain distinct VLANs for management, storage, live migration, and tenant traffic. Never bridge tenant and host networks.
- Host minimalism – Run only the Hyper‑V role and essential management agents on virtualisation hosts. Avoid co‑hosting file shares, DNS, or other services.
- Least‑privilege administration – Use dedicated, audited accounts for Hyper‑V management. Enable just‑in‑time access where possible.
- Immutable VM images – Build VM templates from trusted, versioned sources and avoid mounting untrusted VMs on production hosts.
- Continuous scanning – Integrate Hyper‑V build checks into your vulnerability management programme. Automate alerts when hosts fall out of compliance.
- Concurrency testing for extensions – If your organisation develops in‑house drivers or virtual switch extensions, enforce rigorous race‑condition testing as part of the CI/CD pipeline.

What’s left to worry about

Microsoft handled this vulnerability professionally: it assigned a CVE, published an advisory, and shipped a fix. The CVSS vector gives defenders clear prioritisation data. But a few uncertainties remain:

  • Adjacency semantics – “Adjacent network” can encompass everything from shared physical switches to cloud overlay networks. Organisations with flat network designs are at much greater risk than those with strict segmentation.
  • Exploit reliability – Race conditions are tricky to trigger consistently. Nevertheless, history shows that determined adversaries can chain them with other bugs or use brute‑force timing to achieve reliability. The low complexity rating suggests that exploitation is feasible once an attacker understands the target environment.
  • Patch adoption lag – Virtualisation hosts are often patched slowly because administrators fear regression in live migration or compatibility. The window between the release and full enterprise rollout is precisely when opportunistic attacks can succeed.
  • EPSS and exploitation trends – Current public vulnerability intelligence shows a low short‑term probability of mass exploitation. But for a targeted attacker who already has network adjacency, this bug is a high‑value DoS option.

Verification checklist for security teams

Use this list to confirm your environment is protected:

  • [ ] Confirm you are tracking CVE‑2025‑47999 (not the erroneous CVE‑2025‑49751).
  • [ ] Inventory all Hyper‑V hosts and record their exact OS build numbers.
  • [ ] Cross‑reference builds against the fixed values in the table above or the Microsoft Update Guide.
  • [ ] Deploy the security update to a test ring, validate Hyper‑V functionality (live migration, checkpoints, switch operations), then roll out to production.
  • [ ] Enable enhanced logging and SIEM alerting for Hyper‑V service failures.
  • [ ] After patching, verify that each host reports the expected fixed build.
  • [ ] Document a runbook for host recovery in case of a crash, including how to preserve forensic evidence.

Bottom line

CVE‑2025‑47999 is a medium‑severity vulnerability that demands high‑urgency patching. The missing synchronisation bug in Windows Hyper‑V can crater virtualisation hosts with just network adjacency and low privileges, making it a tangible risk for any organisation that hasn’t segmented its Hyper‑V management interfaces. Applying the Microsoft update is the only permanent solution; for those who need time to roll out, strict network isolation and heightened monitoring are effective stopgaps.

Vulnerability databases, community analysis, and early incident response discussions all agree: adjacent‑network DoS flaws in hypervisors are architecture‑level problems. Patch now, and use the momentum to reassess how your Hyper‑V hosts sit on the network. The next synchronisation bug might not give you days to react.