Full Report
The Cybersecurity and Infrastructure Security Agency (CISA) ordered U.S. government agencies to patch a critical-severity Windows Server Update Services (WSUS) vulnerability after adding it to its catalog of security flaws exploited in attacks. [...]
Analysis Summary
# Active Exploitation of Windows Server WSUS Flaw
The Cybersecurity and Infrastructure Security Agency (CISA) has ordered U.S. government agencies to patch a critical-severity Windows Server Update Services (WSUS) vulnerability after adding it to its catalog of security flaws exploited in attacks.
## Key Points
- A critical-severity Windows Server Update Services (WSUS) vulnerability (CVE-2025-59287) was added to CISA's Known Exploited Vulnerabilities catalog.
- The vulnerability is actively being exploited in the wild, targeting WSUS instances with their default ports exposed online.
- Microsoft has released out-of-band security updates to comprehensively address CVE-2025-59287 on all impacted Windows Server versions.
## Threat Actors
- At least one U.S. government agency's system was compromised using a different exploit than the one shared by Hawktrace.
- Attackers can abuse the vulnerability remotely in low-complexity attacks, allowing them to gain SYSTEM privileges and run malicious code.
## TTPs
- Remote Code Execution (RCE)
- Potentially wormable
- Exploitation of WSUS Server role with default ports exposed online
## Affected Systems
- Windows servers with the WSUS Server role enabled
- WSUS servers within organizations that act as update sources for other WSUS servers
## Mitigations
- Patching WSUS vulnerability (CVE-2025-59287) as soon as possible
- Disabling the WSUS Server role on vulnerable systems to remove the attack vector
- Rebooting WSUS servers after installation to complete mitigation and secure remaining Windows servers