WSUS servers Archives

Winsage

October 31, 2025

Windows Server Update Services (WSUS) vulnerability abused to harvest sensitive data

Counter Threat Unit™ (CTU) researchers are investigating a remote code execution vulnerability, CVE-2025-59287, in Microsoft’s Windows Server Update Service (WSUS). Microsoft released patches for affected Windows Server versions on October 14, 2025, and issued an out-of-band security update on October 23 after the emergence of proof-of-concept code. On October 24, Sophos detected exploitation of this vulnerability targeting internet-facing WSUS servers across various industries. The first recorded activity occurred at 02:53 UTC, where a threat actor executed a Base64-encoded PowerShell script to collect and exfiltrate sensitive information to Webhook.site. The script gathered data such as external IP addresses, Active Directory domain users, and network configurations, attempting to send this information via HTTP POST requests. By 11:32 UTC, the maximum limit of 100 requests was reached. Affected entities included universities and organizations in technology, manufacturing, and healthcare sectors, primarily in the United States. Censys scan data confirmed that the exploited servers had default WSUS ports 8530 and 8531 exposed publicly. CTU recommends organizations review vendor advisories, apply patches, identify exposed WSUS server interfaces, and examine logs for malicious activity. Sophos has implemented specific protections to detect related activities.

Winsage

October 28, 2025

CISA orders feds to patch actively exploited Windows Server WSUS flaw

The Cybersecurity and Infrastructure Security Agency (CISA) has mandated U.S. government agencies to address a critical vulnerability in Windows Server Update Services (WSUS), identified as CVE-2025-59287, which allows for remote code execution (RCE) on affected servers. Microsoft has released out-of-band security updates for this vulnerability, and IT administrators are urged to implement these updates immediately. For those unable to do so, CISA recommends disabling the WSUS Server role on vulnerable systems. Active exploitation attempts targeting WSUS instances have been detected, and CISA has also added a second vulnerability affecting Adobe Commerce to its Known Exploited Vulnerabilities catalog. U.S. Federal Civilian Executive Branch agencies are required to patch their systems by November 14th, 2023, under the Binding Operational Directive 22-01. CISA emphasizes the need for organizations to address these vulnerabilities to mitigate risks of unauthorized remote code execution.

Winsage

October 25, 2025

Microsoft Releases Emergency Patch for Exploited Critical Remote Code Execution Vulnerability (CVE-2025-59287)

On October 23, 2025, Microsoft released an out-of-band security update for a critical vulnerability identified as CVE-2025-59287, which affects Windows Server Update Services (WSUS) and allows remote, unauthenticated attackers to execute arbitrary code. The vulnerability was initially addressed in the October Patch Tuesday update, but the original patch was deemed insufficient. Following the release of the new patch, threat actors began exploiting the vulnerability, leading to its inclusion in CISA’s Known Exploited Vulnerabilities Catalog. Technical details and proof-of-concept exploits for CVE-2025-59287 have been made publicly available. Arctic Wolf has been monitoring a threat campaign targeting WSUS servers through ports 8530 and 8531, involving a malicious PowerShell script that executes commands to gather information from the domain. Arctic Wolf has established Managed Detection and Response coverage for these activities and recommends upgrading to the latest fixed versions of Windows Server and installing the Arctic Wolf Agent and Sysmon for visibility into related events. For users unable to apply the update immediately, Microsoft suggests disabling WSUS or blocking inbound traffic to ports 8530 and 8531 as temporary mitigations.