Tech News
← Back to articles

CISA orders feds to patch Windows Server WSUS flaw used in attacks

2025-10-31 | original
read original related products more articles

The Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. government agencies to patch a critical-severity Windows Server Update Services (WSUS) vulnerability after adding it to its catalog of security flaws exploited in attacks.

Tracked as CVE-2025-59287, this actively exploited, potentially wormable remote code execution (RCE) vulnerability affects Windows servers with the WSUS Server role (a feature that isn't enabled by default) that act as update sources for other WSUS servers within the organization.

Attackers can abuse it remotely in low-complexity attacks that don't require user interaction or privileges, allowing them to gain SYSTEM privileges and run malicious code.

On Thursday, after cybersecurity firm HawkTrace Security released proof-of-concept exploit code, Microsoft released out-of-band security updates to "comprehensively address CVE-2025-59287" on all impacted Windows Server versions and advised IT administrators to install them as soon as possible.

IT admins who can't immediately deploy the emergency patches are advised to disable the WSUS Server role on vulnerable systems to remove the attack vector.

Active exploitation in the wild

The day CVE-2025-59287 patches were released, American cybersecurity company Huntress found evidence of CVE-2025-59287 attacks targeting WSUS instances with their default ports (8530/TCP and 8531/TCP) exposed online.

Dutch cybersecurity firm Eye Security also observed scanning and exploitation attempts on Friday morning, with at least one of its customers' systems compromised using a different exploit than the one shared by Hawktrace over the weekend.

While Microsoft has classified CVE-2025-59287 as "Exploitation More Likely," flagging it as an appealing target for threat actors, it has not yet updated its security advisory to confirm active exploitation.

Since then, the Shadowserver Internet watchdog group is tracking over 2,800 WSUS instances with the default ports (8530/8531) exposed online, though it didn't say how many are already patched.

... continue reading

Related:
iOS 26.1 Adds These Features to Your iPhone, Including a Liquid Glass Setting
Windows 10 update incorrectly tells some users they've reached end-of-life, despite having extended support — Microsoft confirms message sent to Enterprise, Pro, and Education users in error
DOJ Accuses US Ransomware Negotiators of Launching Their Own Ransomware Attacks
The Ultimate Guide to Locking Your Social Security Number and Protecting Your Identity
Windows 10 update bug triggers incorrect end-of-support alerts

© 2025 GoKawiil