CISA releases warning about Windows Server Update Service bug, orders agencies to patch

Steven

CISA releases warning about Windows Server Update Service bug, orders agencies to patch

Summary

CISA has issued an urgent advisory about CVE-2025-59287, a critical remote code execution vulnerability in Windows Server Update Service (WSUS). Microsoft published an out-of-band update after confirming the original fix did not fully mitigate the issue and public proof-of-concept code appeared. The flaw affects WSUS on Windows Server 2012, 2016, 2019, 2022 and 2025 and carries a CVSS score of 9.8.

CISA ordered all federal agencies to patch by 14 November and strongly urged all organisations to apply Microsoft’s updated guidance immediately. Multiple security firms (watchTowr, Huntress, Unit42) have observed in-the-wild, indiscriminate exploitation of the vulnerability. For those unable to patch right away, CISA recommends identifying exposed servers and blocking specific inbound ports as a temporary mitigation.

Key Points

  1. CVE-2025-59287 is a critical RCE vulnerability in WSUS with a 9.8 severity score.
  2. Microsoft reissued the advisory after the initial update did not fully mitigate the issue and PoC code became public.
  3. CISA ordered federal agencies to patch by 14 November and urges all organisations to apply the out-of-band patch now.
  4. Multiple security teams have confirmed active, indiscriminate exploitation in the wild.
  5. Immediate actions: identify vulnerable WSUS servers, apply Microsoft’s updated patch, reboot servers, and block inbound traffic to specified ports if you cannot patch immediately.
  6. Many WSUS instances are exposed to the internet; internet-accessible WSUS should be closed off to reduce risk.

Context and relevance

WSUS is a trusted update mechanism used by IT teams to distribute Microsoft updates across environments. Because WSUS runs with elevated privileges and can write to the file system, a successful exploit can give attackers full control of affected systems and may bypass some endpoint defences that tacitly trust update services.

This advisory is significant for any organisation that still runs WSUS, especially those with internet-exposed update servers or legacy server versions. The combination of a high CVSS score, public PoC code and active exploitation raises the urgency: unpatched instances are highly likely to be compromised quickly.

Why should I read this?

Short version: patch now. If you run WSUS, this isn’t a drill. The vulnerability gives attackers a direct route to system-level code execution and we’re already seeing it being used in the wild. We’ve read the long, messy advisories so you don’t have to — follow the patch and mitigation steps straight away.

Author style

Punchy: This is high-priority security news. If your environment uses WSUS, consider this essential reading and immediate action. If you’re responsible for patch management or infrastructure, escalate this now — the risk is proven and exploitation is happening.

Source

Source: https://therecord.media/wsus-vulnerability-cisa-late-friday-warning