At least 50 organizations, mostly in the US, have been compromised by attackers exploiting a critical flaw (CVE-2025-59287) in Windows Server Update Service (WSUS). Researchers at Sophos and Google suspect this is a reconnaissance phase, with attackers gathering data for future, larger attacks.
Business Impact
Compromising WSUS is a “keys to the kingdom” attack. It allows attackers to control the update process for every Windows machine in the organization, enabling them to deploy malware (like ransomware) at scale, disguised as a legitimate Microsoft update.
Why It Happened
The RCE flaw in WSUS allows for deserialization of untrusted data. An initial patch from Microsoft was insufficient, requiring an emergency out-of-band patch last week, which many organizations have not yet applied, leaving them vulnerable.
Recommended Executive Action
Mandate the immediate application of the *second*, out-of-band emergency patch for CVE-2025-59287. Direct the SOC to use CISA’s guidance to hunt for signs of compromise, as attackers may already have a foothold in the network.
Hashtags: #WSUS #Microsoft #Vulnerability #PatchManagement #CyberSecurity #RCE #CVE #InfoSec