Full Report
Microsoft has fixed a known issue breaking HTTP/2 localhost (127.0.0.1) connections and IIS websites after installing recent Windows security updates. [...]
Analysis Summary
# Vulnerability: Windows Bug Breaks HTTP/2 Localhost Connections Post-Update
## CVE Details
- CVE ID: N/A (Described as a "known issue" patched via update, no specific CVE publicly detailed in the context)
- CVSS Score: N/A
- CWE: N/A
## Affected Systems
- Products: Windows 11, Windows Server 2025 (Systems affected by specific patches)
- Versions: Windows 11 24H2, Windows 11 25H2, Windows Server 2025 (Post-installation of specific updates)
- Configurations: Applications relying on `HTTP.sys` for incoming connections, especially those using `http://localhost` (127.0.0.1) via HTTP/2 (e.g., IIS websites, Duo Desktop app, Visual Studio debugging).
## Vulnerability Description
Recent Windows security updates (starting with KB5065789 preview and KB5066835 official release in October 2025) introduced a bug in the Windows-based web server component, `HTTP.sys`. This flaw specifically causes issues with HTTP/2 connections directed to the localhost IP address (127.0.0.1). Affected connections result in errors such as `ERR_CONNECTION_RESET` or `ERR_HTTP2_PROTOCOL_ERROR`. The issue's trigger timing may depend on device restarts and update installations.
## Exploitation
- Status: Not exploited (This appears to be a regression/stability issue introduced by a patch, not a security flaw actively exploited by threat actors, though functionality disruption is high).
- Complexity: N/A (Not directly applicable as it is a regression bug, not a typical security vulnerability exploitation scenario.)
- Attack Vector: N/A (Impacts local service communication).
## Impact
- Confidentiality: None/Low (Focus is on service availability/functionality)
- Integrity: Low (Data exchange integrity may be affected by connection failures)
- Availability: High (Local web servers, development tools, and specific applications relying on localhost connections cease to function correctly).
## Remediation
### Patches
- A permanent fix will be included in a future Windows update (Specific KB article not yet available for the permanent fix).
### Workarounds
**For Home Users/Non-Managed Devices:**
1. Open "Windows Update" in Windows Settings.
2. Click "Check for updates" and allow any resulting updates to install.
3. Restart the device, even if no new updates were installed. (Microsoft reportedly resolved this automatically for most home users via Known Issue Rollback - KIR).
**For Enterprise-Managed Devices:**
1. IT administrators must install and configure the specific Known Issue Rollback (KIR) group policy provided by Microsoft for Windows 11 24H2, 25H2, and Windows Server 2025 related to KB5066835.
## Detection
- Indicators of Compromise: Appearance of `ERR_CONNECTION_RESET` or `ERR_HTTP2_PROTOCOL_ERROR` when accessing `http://localhost` or local services after installing recent updates (KB5065789, KB5066835).
- Detection methods and tools: Monitoring local application event logs for HTTP connection failures originating from IIS or ASP.NET Core services communicating via HTTP.sys.
## References
- Vendor Advisories: Microsoft Release Health Dashboard (Windows 11 25H2 status mentioned).
- Relevant links:
- Microsoft KB5066835 support page (defanged): `https://support.microsoft.com/en-us/topic/october-14-2025-kb5066835-os-builds-26200-6899-and-26100-6899-1db237d8-9f3b-4218-9515-3e0a32729685`
- Microsoft KB5065789 support page (defanged): `https://support.microsoft.com/en-us/topic/september-29-2025-kb5065789-os-builds-26200-6725-and-26100-6725-preview-fa03ce47-cec5-4d1c-87d0-cac4195b4b4e`
- KIR Group Policy download link (defanged): `https://download.microsoft.com/download/16d61dc0-7e94-4cd2-ba3c-4f59dece8488/Windows%2011%2024H2,%20Windows%2011%2025H2%20and%20Windows%20Server%202025%20KB5066835%20251015_22001%20Known%20Issue%20Rollback.msi`
- Guide on deploying KIR policies (defanged): `https://docs.microsoft.com/en-us/troubleshoot/windows-client/group-policy/use-group-policy-to-deploy-known-issue-rollback`