server role Archives

Winsage

November 25, 2025

Microsoft to remove WINS support after Windows Server 2025

Microsoft will remove the Windows Internet Name Service (WINS) from all future Windows Server releases after November 2034. WINS was officially deprecated with Windows Server 2022 in August 2021, and Windows Server 2025 will be the last version to support it. Standard support for WINS will continue until November 2034. Organizations are encouraged to migrate to DNS-based name resolution solutions before this deadline. The removal will include the WINS server role, management console snap-in, automation APIs, and related interfaces. Microsoft recommends auditing services dependent on NetBIOS name resolution and migrating to DNS solutions. Static host files are not advised as a workaround. Organizations should begin migration planning to avoid operational disruptions.

Winsage

November 24, 2025

Microsoft Retires WINS in Windows Server 2025

Microsoft has officially retired the Windows Internet Name Service (WINS) as part of the transition to modern DNS-based solutions. WINS, which resolved NetBIOS names to IP addresses, is being phased out due to its outdated nature and security vulnerabilities. It was deprecated with the release of Windows Server 2022 and will be completely removed in future releases, although support will continue until November 2034. Organizations are encouraged to transition to DNS and identify systems relying on WINS for name resolution. They should implement features like conditional forwarders and update or retire legacy applications that depend on WINS.

Winsage

October 28, 2025

Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild

On October 14, 2025, a critical remote code execution (RCE) vulnerability, CVE-2025-59287, was discovered in Microsoft's Windows Server Update Services (WSUS). The vulnerability allows remote, unauthenticated attackers to execute arbitrary code with system privileges on affected servers. It was initially addressed on October 14, but the patch was insufficient, leading to an urgent out-of-band update on October 23. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities Catalog on October 24, indicating its immediate threat. The vulnerability affects Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025, specifically on servers with the WSUS role enabled. Attackers are exploiting the vulnerability by targeting publicly exposed WSUS instances on TCP ports 8530 (HTTP) and 8531 (HTTPS). Approximately 5,500 WSUS instances have been identified as exposed to the internet. Microsoft recommends disabling the WSUS Server Role or blocking inbound traffic to the high-risk ports as temporary workarounds for organizations unable to apply the emergency patches immediately.

Winsage

October 28, 2025

CISA orders feds to patch actively exploited Windows Server WSUS flaw

The Cybersecurity and Infrastructure Security Agency (CISA) has mandated U.S. government agencies to address a critical vulnerability in Windows Server Update Services (WSUS), identified as CVE-2025-59287, which allows for remote code execution (RCE) on affected servers. Microsoft has released out-of-band security updates for this vulnerability, and IT administrators are urged to implement these updates immediately. For those unable to do so, CISA recommends disabling the WSUS Server role on vulnerable systems. Active exploitation attempts targeting WSUS instances have been detected, and CISA has also added a second vulnerability affecting Adobe Commerce to its Known Exploited Vulnerabilities catalog. U.S. Federal Civilian Executive Branch agencies are required to patch their systems by November 14th, 2023, under the Binding Operational Directive 22-01. CISA emphasizes the need for organizations to address these vulnerabilities to mitigate risks of unauthorized remote code execution.

Winsage

October 25, 2025

Microsoft Releases Emergency Patch for Exploited Critical Remote Code Execution Vulnerability (CVE-2025-59287)

On October 23, 2025, Microsoft released an out-of-band security update for a critical vulnerability identified as CVE-2025-59287, which affects Windows Server Update Services (WSUS) and allows remote, unauthenticated attackers to execute arbitrary code. The vulnerability was initially addressed in the October Patch Tuesday update, but the original patch was deemed insufficient. Following the release of the new patch, threat actors began exploiting the vulnerability, leading to its inclusion in CISA’s Known Exploited Vulnerabilities Catalog. Technical details and proof-of-concept exploits for CVE-2025-59287 have been made publicly available. Arctic Wolf has been monitoring a threat campaign targeting WSUS servers through ports 8530 and 8531, involving a malicious PowerShell script that executes commands to gather information from the domain. Arctic Wolf has established Managed Detection and Response coverage for these activities and recommends upgrading to the latest fixed versions of Windows Server and installing the Arctic Wolf Agent and Sysmon for visibility into related events. For users unable to apply the update immediately, Microsoft suggests disabling WSUS or blocking inbound traffic to ports 8530 and 8531 as temporary mitigations.

Winsage

October 25, 2025

Act Now — Microsoft Issues Emergency Windows Update As Attacks Begin

Microsoft has announced an emergency fix for a critical vulnerability, CVE-2025-59287, affecting Windows Server users, specifically within the Windows Server Update Service (WSUS). The Cybersecurity and Infrastructure Security Agency (CISA) has indicated that attacks exploiting this vulnerability are already occurring. The WSUS Server Role is not enabled by default, meaning only servers with this role activated are at risk unless the fix is applied. CISA has mandated that certain federal agencies address this issue within two weeks and advises organizations to follow Microsoft's guidance to prevent unauthorized remote code execution. Recommended steps include identifying vulnerable servers, applying the security update released on October 23, 2025, and rebooting WSUS servers post-installation. For those unable to update immediately, disabling the WSUS server role and blocking inbound traffic to ports 8530 and 8531 is advised.

Winsage

October 24, 2025

Microsoft Issues Emergency Patch for Actively Exploited Critical WSUS Vulnerability

Microsoft has released out-of-band security updates to address a critical vulnerability in the Windows Server Update Service (WSUS), identified as CVE-2025-59287, which has a CVSS score of 9.8 and is actively being exploited. The vulnerability allows unauthorized remote code execution due to unsafe deserialization of untrusted data. It affects various supported versions of Windows Server, including 2012, 2012 R2, 2016, 2019, 2022, and 2025 (23H2 Edition, Server Core installation). Microsoft recommends applying the patch and rebooting the system, or alternatively, disabling the WSUS Server Role or blocking inbound traffic to Ports 8530 and 8531. The Dutch National Cyber Security Centre (NCSC) reported active exploitation on the same day the updates were released. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to address it by November 14, 2025.

Winsage

October 24, 2025

Windows Server emergency patches fix WSUS bug with PoC exploit

Microsoft has released out-of-band security updates to address a critical-severity vulnerability in its Windows Server Update Service (WSUS), tracked as CVE-2025-59287. This remote code execution flaw affects Windows servers with the WSUS Server Role enabled, allowing low-complexity remote attacks without user interaction. If the WSUS server role is enabled and the fix is not installed, the server becomes vulnerable. Microsoft recommends that customers install the updates immediately and provided alternative measures, such as disabling the WSUS Server Role or blocking inbound traffic to Ports 8530 and 8531. The update is cumulative and supersedes all previous updates for affected versions. After installation, WSUS will no longer display synchronization error details as a temporary risk mitigation measure.

Winsage

October 24, 2025

Microsoft Releases Emergency Patch For Windows Server Update Service RCE Vulnerability

Microsoft released an emergency patch on October 23, 2025, to address a critical remote code execution vulnerability (CVE-2025-59287) in Windows Server Update Services (WSUS). The vulnerability, rated critical with a CVSS score of 9.8, allows unauthorized attackers to execute arbitrary code over the network through unsafe deserialization of untrusted data. Although WSUS is not enabled by default, organizations using it are at risk if unpatched. The CVE's temporal score was updated to 8.8 after proof-of-concept exploit code was confirmed. The patch is available through various Microsoft update channels but requires a server reboot. Temporary workarounds include disabling the WSUS server role or blocking specific inbound traffic. Affected versions include Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 (23H2 Edition), and 2025, each with corresponding patch KB numbers.

Winsage

October 24, 2025

Microsoft releases urgent fix for actively exploited WSUS vulnerability (CVE-2025-59287)

Microsoft has released an out-of-band security update to address the critical CVE-2025-59287 vulnerability, which affects Windows Server Update Services (WSUS) and is currently being exploited. This vulnerability allows unauthorized attackers to execute code on vulnerable machines without user interaction by sending specially crafted events to the WSUS server. It specifically impacts Windows Server machines with the WSUS Server role enabled. The initial fix provided in October 2025 was insufficient, leading to the release of this additional update. The German Federal Office for Information Security has raised concerns about potential exploitation if network configurations are not properly managed. Compromised WSUS servers could distribute malicious updates to client devices. The update is available for all supported Windows Server versions and requires a reboot. Administrators can temporarily disable the WSUS server role or block inbound traffic to specific ports if immediate implementation is not possible. This cumulative update supersedes all prior updates for affected versions.