Full Report
Microsoft is working to resolve a known issue that causes its Defender for Endpoint enterprise endpoint security platform to incorrectly tag SQL Server software as end-of-life. [...]
Analysis Summary
# Incident Report: False Positive Flagging of SQL Server by Microsoft Defender
## Executive Summary
Microsoft Defender for Endpoint experienced an issue where it incorrectly tagged supported versions of SQL Server (2017 and 2019) as end-of-life. This was caused by a code issue introduced in a recent update to the endpoint security platform, leading to inaccurate vulnerability reporting within Threat and Vulnerability Management. Microsoft acknowledged the bug, deployed a fix, and categorized the event as an advisory due to its limited scope.
## Incident Details
- Discovery Date: Wednesday morning (Prior to Thursday notification)
- Incident Date: At least since Wednesday morning (Prior to October 9, 2025)
- Affected Organization: Microsoft Defender XDR customers utilizing SQL Server 2017/2019
- Sector: Technology/Security Software
- Geography: Global (Affecting customers using the platform)
## Timeline of Events
### Initial Access
- Date/Time: Prior to Thursday morning, October 9, 2025 (Began at least Wednesday morning)
- Vector: Internal code deployment/update within Microsoft Defender for Endpoint.
- Details: A recent change introduced a code issue that incorrectly updated the end-of-support status for SQL Server versions.
### Lateral Movement
- Not applicable. This was a false positive alert issue originating from the security platform itself, not a threat actor intrusion.
### Data Exfiltration/Impact
- No data exfiltration or system compromise occurred.
- Impact: Inaccurate threat and vulnerability management data presented to customers regarding their SQL Server instances.
### Detection & Response
- Detection: Issue was identified internally or reported by customers (service alert seen Thursday morning).
- Response actions taken: Microsoft deployed a fix designed to reverse the offending code change.
## Attack Methodology
- Initial Access: N/A (Internal software defect)
- Persistence: N/A
- Privilege Escalation: N/A
- Defense Evasion: N/A
- Credential Access: N/A
- Discovery: N/A
- Lateral Movement: N/A
- Collection: N/A
- Exfiltration: N/A
- Impact: False positive reporting leading to potential operational confusion or inappropriate patching prioritization.
## Impact Assessment
- Financial: Not quantified, but likely limited to internal remediation costs and customer confusion.
- Data Breach: None.
- Operational: Reporting inaccuracy in Threat and Vulnerability Management for organizations running SQL Server 2017/2019. Described as an advisory (limited scope).
- Reputational: Minor reputational impact on the reliability of Defender's vulnerability management features.
## Indicators of Compromise
- Network indicators: None specific to a threat actor.
- File indicators: None.
- Behavioral indicators: Inaccurate "end-of-life" tagging for SQL Server 2017/2019 within Defender portals.
## Response Actions
- Containment measures: N/A (No external threat to contain).
- Eradication steps: Deployment of a fix to reverse the offending code change that introduced the bug.
- Recovery actions: Notification to customers via service alert and confirmation of the fix deployment.
## Lessons Learned
- Key takeaways: Recent code changes in security platforms can inadvertently introduce significant false positives affecting critical infrastructure components (SQL Server). The process for validating end-of-life status updates needs rigorous testing.
- What could have been done better: Faster deployment of the fix (issue noted Wednesday morning, confirmed Thursday morning).
## Recommendations
- Prevention measures for similar incidents: Implement stricter pre-deployment testing or staging environments specifically for vulnerability definitions and metadata updates within endpoint security platforms before widespread release. Ensure robust rollback mechanisms for definition deployments.