Full Report
Microsoft has finally fixed a known issue that was causing systems running Windows Server 2019 and 2022 to "unexpectedly" upgrade to Windows Server 2025. [...]
Analysis Summary
# Vulnerability: Windows Server Unexpected In-Place Upgrade Bug
## CVE Details
- **CVE ID**: N/A (Categorized as a "Known Issue" / Logic Error)
- **CVSS Score**: N/A
- **CWE**: CWE-693: Protection Mechanism Failure (Operational logic flaw)
## Affected Systems
- **Products**: Windows Server
- **Versions**: Windows Server 2019 and Windows Server 2022
- **Configurations**: Systems utilizing Windows Update for feature updates or managed via third-party update management tools.
## Vulnerability Description
A procedural and classification error in the Windows Update delivery mechanism caused Windows Server 2019 and 2022 environments to treat the Windows Server 2025 release as a mandatory or automatically applicable update rather than an optional feature upgrade. This resulted in "unexpected" in-place upgrades. While Microsoft initially attributed the issue to misconfigured third-party tools, findings suggest the root cause involved how the upgrade was classified and broadcasted via the Windows Update settings panel.
## Exploitation
- **Status**: Not exploited (Functional bug/Operational failure)
- **Complexity**: Low
- **Attack Vector**: Network (via Windows Update delivery infrastructure)
## Impact
- **Confidentiality**: None
- **Integrity**: Low (Unauthorized system state change and modification of OS environment)
- **Availability**: High (Potential for downtime due to unplanned reboots, licensing mismatches, and application incompatibility with the new OS version)
## Remediation
### Patches
- **Microsoft Fix**: Microsoft has re-enabled and corrected the upgrade offer via the Windows Update settings panel. Organizations should ensure they are running current servicing stack updates.
- **Out-of-Band updates**: While not directly fixing this logic bug, Microsoft released unrelated emergency updates (KB5086672, KB5085516) to address stability issues in the same period.
### Workarounds
- **Group Policy**: Use "Select the target Feature Update version" via GPO to lock servers to a specific version (e.g., 21H2 or 1809).
- **Registry**: Set `TargetReleaseVersion` to `1` and `TargetReleaseVersionInfo` to the desired version string to prevent accidental leaps to Server 2025.
## Detection
- **Indicators of compromise**: Systems reporting a "Windows Server 2025" OS version without authorized change requests.
- **Detection methods**: Monitor for OS version changes in asset management software or SIEM logs (Event ID 6005/6006 combined with inventory data).
## References
- **Vendor Advisory**: [https://learn.microsoft.com/en-us/windows/release-health/status-windows-server-2025#windows-server-2022-and-server-2019-unexpectedly-upgraded-to-windows-server-2025]
- **Technical Guidance**: [https://learn.microsoft.com/en-us/windows-server/get-started/upgrade-in-place?tabs=windows-update]
- **News Source**: [https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-bug-behind-windows-server-2025-automatic-upgrades/]