Cyber Alert: Microsoft WSUS Remote Code Execution Vulnerability

Fareed Hussaini
Decorative imagery for cyber alert notices - a figure sitting atop a laptop with a lock next to it.

Attention HIROC Subscribers:

As your proactive partner in safety, HIROC is sharing the following important notice.

Please share this Alert with your Information Technology (IT) team, Information Security Management team, Chief Information Officer, and Chief Technology Officer and, as appropriate, with your users, to raise awareness about a potential cyber threat and to address potential risks promptly.

The purpose of this Alert is to raise awareness about a recently disclosed critical Windows Server Update Services (WSUS) vulnerability, tracked as CVE-2025-59287, and to highlight the urgent actions required to protect your infrastructure.

HIROC has become aware, through a public advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA), that Microsoft has released an out-of-band security update on October 23, 2025, to address a remote code execution (RCE) vulnerability impacting Windows Server versions 2012, 2016, 2019, 2022, and 2025.

According to CISA, a previous Microsoft patch did not fully mitigate this vulnerability, leaving affected systems exposed to potential compromise. The flaw could allow an unauthenticated remote attacker to execute arbitrary code with SYSTEM-level privileges on servers running the WSUS role, particularly if the WSUS management ports (8530/8531) are exposed to the internet.

CISA has added CVE-2025-59287 to its Known Exploited Vulnerabilities (KEV) Catalog, indicating active exploitation in the wild.

This vulnerability underscores the ongoing risk to organizations that delay patching or expose management interfaces publicly. Similar large-scale exploit campaigns have been observed recently across multiple firewall and infrastructure vendors, for example, BleepingComputer reported in November 2024 that over 2,000 Palo Alto Networks firewalls were compromised due to delayed patching of chained zero-day vulnerabilities (CVE-2024-0012 and CVE-2024-9474). These incidents highlight the importance of immediate patching and strict network access controls for management interfaces.

Additionally, HIROC recommends the following for our Subscribers:

  • Identify affected systems: Locate all servers running Windows Server Update Services (WSUS) and confirm whether the WSUS Server Role is enabled.
  • Restrict network exposure: Immediately block inbound traffic to ports 8530 and 8531 at the host or network firewall. Ensure the WSUS management interface is accessible only from trusted internal IP addresses.
  • Apply the out-of-band patch: Install Microsoft’s October 23, 2025, update across all affected systems. A server reboot is required to complete mitigation.
  • Refer to Microsoft’s guidance here: Microsoft Security Update Guide – CVE-2025-59287
  • Apply temporary workarounds if immediate patching is not possible:
    • Disable the WSUS Server Role; and/or block inbound access to ports 8530/8531.
    • Do not revert these workarounds until the patch has been fully applied and verified.
    • Patch all other Windows Servers to the latest cumulative updates to ensure consistency across your environment.
    • Monitor system and network activity: Review logs for unexpected remote connections, privilege escalations, or command execution events related to WSUS processes.

We are here for you!

In the event of a cyber loss, please contact HIROC’s Claims Department at [email protected].

For Healthcare Safety and Risk Management resources and advice, please contact us at [email protected].

If you have any questions about this alert, please contact Kopiha Nathan, HIROC’s Privacy and Compliance Officer at [email protected].

Thank you for your vigilance and attention to this matter.

References

Fareed Hussaini is HIROC's Privacy & Compliance Coordinator.