Leaving out many of the specifics about how Azure Sphere devices work. Under normal circumstances it appears that you shoudl neither be able to downgrade a devices firmware, nor install any firmware without providing the Microsoft-signed manifest beforehand.

The issue Talos Found was that it was posisble to install the “Trusted Keystore” image wihtout any manifest or version restriction. So by installing a different version will result in the Pluton processor (root of trust on Azure Sphere) using a bad key when checking the firmware image, leading to a failed verification and rebooting the device (repeating the process).