Security researchers at the SANS Internet Storm Center report a major spike in scanning activity targeting TCP ports 8530 and 8531. This indicates that threat actors are in a race to find and exploit the critical Windows Server Update Services (WSUS) RCE vulnerability (CVE-2025-59287) before organizations can apply the emergency patch.
Business Impact
This automated scanning means any unpatched, internet-facing WSUS server is at immediate risk of compromise. A breach of WSUS allows attackers to control the update mechanism for an entire enterprise, enabling them to deploy ransomware or spyware at scale, disguised as a legitimate Microsoft update.
Why It Happened
The flaw is a critical (CVSS 9.8) unauthenticated RCE, and public proof-of-concept code is available. Attackers are now automating the discovery of vulnerable servers, with reports of over 50 organizations already compromised in what is likely a reconnaissance phase.
Recommended Executive Action
This is a critical, time-sensitive threat. Direct your IT teams to confirm that the *second* emergency out-of-band patch from Microsoft for this CVE is applied. Ensure all WSUS servers are firewalled from the public internet and hunt for IoCs per CISA’s guidance.
Hashtags: #WSUS #Vulnerability #RCE #Microsoft #CISA #PatchNow #CyberSecurity #CVE #InfoSec