Update - We are keeping this maintenance window open in a monitoring state to ensure maximum visibility and to address the most frequent questions our support team is currently receiving.
Please note: The active maintenance work and all host reboots were successfully completed well ahead of schedule and with only a few minutes of downtime per VM. There is no ongoing downtime caused by our infrastructure.
- Why this status post is still open: Leaving this maintenance open does not mean that active work is still in progress. We are keeping it visible solely to ensure that customers checking the status page later are fully informed about this critical security update. If your server is currently unavailable, it is not due to ongoing host maintenance. Please check your VM's internal status (e.g., failed autostart services), as the host-level work has been concluded.
- Nested Virtualization is permanently disabled: This feature has been disabled across all dataforest virtualization environments and is explicitly not planned to be reactivated. We anticipate similar security vulnerabilities to emerge in the near future, making this a permanent security policy. Our urgent recommendation remains unchanged: migrate your individual services to the dataforest cloud, or choose a dedicated server if you intend to continue hosting your own virtual machines. Our support team is ready to assist you.
- Software Emulation as a temporary workaround: In some cases, you might still be able to run virtual machines inside of your VM without Nested Virtualization by relying entirely on software emulation (e.g., using QEMU only, without KVM). Please test individually if your services function this way. Be aware that without hardware acceleration (KVM), performance will be severely compromised due to high CPU overhead. However, it may serve as a temporary bridge until you can properly migrate.
- Mandatory external contact emails: If you run your own mail server with us, it is mandatory to register an external contact email address in your customer panel. If your registered email address is hosted on the exact server that is currently experiencing an outage, you simply cannot receive our support replies or critical updates.
Jul 09, 2026 - 21:31 CEST
Verifying - All VMs on vnode22 have successfully booted and are back online after the applied fix proved effective. We apologize for the extended downtime.
Jul 09, 2026 - 15:33 CEST
Update - vnode22 is currently not starting its VMs. Please bear with us while we are working on this issue.
Jul 09, 2026 - 15:17 CEST
In progress - vnode22 is rebooting right now.
Jul 09, 2026 - 14:52 CEST
Verifying - The "ernie" migration has completed 5 minutes ago.
vnode22 will be rebooted in the next minutes.
Jul 09, 2026 - 14:44 CEST
Update -
In light of recent events, we would like to point out the following to our customers:
- Customers who have previously used nested virtualization are advised to migrate their currently self-virtualized VMs to the dataforest cloud or switch to a dedicated server running Proxmox. Our support team is happy to advise you on this and will actively assist with the migration. Please keep in mind that nested virtualization is also not available in the dataforest cloud.
- We would also like to remind you of an important basic rule: If you run your own mail server with us, it is mandatory to register an external contact email address in the customer panel. If your registered email address is hosted on the exact server that is currently experiencing an outage, we simply cannot reach you in case of emergencies or support inquiries. Please check your settings and provide an independent address so that we can support you quickly and smoothly should the need arise.
Jul 09, 2026 - 13:01 CEST
Update - We have started the migration of "ernie" and will keep you updated on the progress.
The vnode22 reboot is planned to take place in about 3 hours.
Jul 09, 2026 - 11:17 CEST
In progress - We are currently preparing another required reboot of vnode22 (PHP-Friends G3 products) within the next few hours. A specific time will be announced as soon as possible.
This will also affect our Plesk web hosting system "ernie", which must be migrated to another node in this context, resulting in an extended downtime for this specific system. We apologize for the additional inconvenience.
Jul 09, 2026 - 09:46 CEST
Verifying - We have successfully completed the emergency maintenance well ahead of schedule. For the vast majority of VMs, the downtime was less than 5 minutes. We will keep this maintenance open in a monitoring state to ensure overall stability and carefully observe any incoming support tickets. Furthermore, due to the critical importance of this security update, leaving this post active ensures that customers checking the status page later will still be fully informed.
Jul 09, 2026 - 02:27 CEST
Update - Avoro VPS nodes vps-001 and vps-005 have successfully recovered and are back online. The host systems are currently starting all VMs. Please allow up to 10 minutes for your individual server to fully boot up and become reachable.
Jul 08, 2026 - 21:48 CEST
Update - We are currently experiencing unexpected issues with the Avoro VPS nodes vps-001 and vps-005 after applying the security update. Consequently, VMs on these hosts will remain offline for longer than 15 minutes. We are working on a fix with the highest priority.
Since this is a known issue that is being actively handled, please refrain from contacting support regarding these nodes. Keep an eye on this status page for the latest information.
Jul 08, 2026 - 21:43 CEST
In progress - Scheduled maintenance is currently in progress. We will provide updates as necessary.
Jul 08, 2026 - 18:30 CEST
Scheduled - A critical security vulnerability known as "Januscape" has been discovered in KVM, the core virtualization technology powering our infrastructure. This flaw potentially affects all virtual servers across our network. Over the past 24 hours, our team has analyzed the threat and developed an immediate mitigation plan.
This is one of the most severe vulnerabilities reported in KVM to date. While there are currently no public exploits available to compromise host systems, we expect this to change imminently. To ensure the absolute safety of all customer data and our infrastructure, immediate action is mandatory.
What we are doing
Over the next 24 hours, our engineers will work in multiple shifts to apply a security patch to all host systems, which requires a reboot of all virtual servers. Due to the extreme urgency of the situation and the massive scale of the infrastructure, it is unfortunately impossible to schedule individual maintenance windows.
Expected impact
- We expect a brief downtime of 5 to 15 minutes per virtual server. If your server is unreachable for more than 15 minutes, please check this status page for updates regarding potential host-specific issues. If there are no known issues listed, please contact our support.
- For unmanaged server customers: Ensure your VM is reboot-safe. Configure critical software to autostart on boot and terminate cleanly upon a shutdown signal from the host. Please understand that we cannot take responsibility for the internal configuration of unmanaged servers.
- For managed, webhosting, and TeamSpeak 3 customers: You do not need to take any action. Our team manages the configuration and safe reboot of your services automatically.
- As part of the security mitigation, we must globally disable nested virtualization (the ability to run a virtual machine inside your virtual server). This is a highly specific feature, and if your workload relies on it, you are likely aware of it. If this affects you, please reach out to our support immediately to discuss a custom solution.
We understand that this situation is unpleasant and challenging, but we must ensure the safety of all customers.
Affected products
This maintenance applies to every type of virtual server in our infrastructure, including:
- Seeds in the dataforest cloud
- Virtualized Avoro products (VPS, Rootserver, Power Rootserver, NVMe vServer, Compute vServer, Cloud Server)
- Every PHP-Friends vServer; both managed and unmanaged
- Our Plesk web hosting systems and TeamSpeak 3 servers (as these are hosted on the same virtualization platform)
Jul 8, 2026 18:30 - Jul 9, 2026 18:30 CEST