Full Report
Microsoft is asking businesses to reach out for support to mitigate a known issue causing Cluster service and VM restart issues after installing this month's Windows Server 2019 security updates. [...]
Analysis Summary
# Vulnerability: Post-Patch Instability in Windows Server: KB5062557 Leading to Cluster/VM Failure
## CVE Details
- CVE ID: Not Applicable (This is an unstable update/bug, not a security vulnerability)
- CVSS Score: N/A (Not a security flaw)
- CWE: N/A
## Affected Systems
- Products: Windows Server
- Versions: Systems that have installed update **KB5062557**.
- Configurations: Systems utilizing Failover Clustering or Virtual Machines (VMs).
## Vulnerability Description
The Microsoft update **KB5062557** is causing operational instability on Windows Server environments. Affected systems experience frequent reboot loops and critical cluster and VM failures. These issues manifest as frequent **Event ID 7031** errors in the system event logs, indicating service termination or unexpected restarts.
## Exploitation
- Status: Not Applicable (This is a stability/functionality bug introduced by an update, not a security exploit).
- Complexity: N/A
- Attack Vector: N/A
## Impact
- Confidentiality: Negligible (Direct impact not related to security)
- Integrity: High (System configuration and operational integrity is compromised due to unexpected restarts and failures)
- Availability: High (Leads to service downtime, cluster unavailability, and VM disruptions)
## Remediation
### Patches
- A resolution is stated to be **in development** and will be included in a future Windows update.
- **No general public patch** is currently available as of the report date.
### Workarounds
Organizations experiencing this known issue are instructed to **contact Microsoft's Support for business** to obtain and apply a specific mitigation configuration manually. Installing this mitigation removes the dependency on the faulty update's functionality.
## Detection
- **Indicators of Compromise (IoCs):** Frequent reboot loops affecting cluster nodes or cluster quorum loss. Specific Windows Event Logs showing repeated **Event ID 7031** messages related to vital services failing to start or restarting unexpectedly.
- **Detection methods and tools:** Standard event log monitoring tailored to identify Event ID 7031 recurrence on Windows Server environments shortly after applying KB5062557.
## References
- Vendor advisory: Microsoft (Indirectly referenced via BleepingComputer)
- Relevant links - defanged:
- bleepingcomputer com/news/microsoft/microsoft-windows-server-kb5062557-causes-cluster-vm-issues/