US Government orders patching of critical Windows Server security issue

News
By published

Major WSUS bug needs patching, CISA warns

Malware attack virus alert , malicious software infection , cyber security awareness training to protect business
(Image credit: Shutterstock)
  • CISA adds critical WSUS bug CVE-2025-59287 to its KEV catalog
  • Microsoft issued emergency patch after real-world exploitation reports surfaced
  • Over 2,800 WSUS servers exposed; agencies must patch by November 14

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new bug to its Known Exploited Vulnerabilities (KEV) catalog, warning Federal agencies about in-the-wild abuse, and giving them a three-week deadline to patch.

Microsoft recently pushed an emergency patch to fix a “deserialization of untrusted data” vulnerability found in Windows Server Update Service (WSUS) - a tool allowing IT admins to manage patching computers within their network.

The flaw, tracked as CVE-2025-59287, was given a severity score of 9.8/10 (critical), as it apparently allows for remote code execution (RCE) attacks. It can be abused in low-complexity attacks, without user interaction, granting unauthenticated, unprivileged threat actors the ability to run malicious code with SYSTEM privileges. In theory, it would allow them to pivot and infect other WSUS servers, too.

Patch Tuesday fixes

The issue was first addressed in October 2025’s Patch Tuesday cumulative update, but since news broke of real-life attacks, Microsoft released an emergency fix, as well.

Since then, multiple security agencies found evidence of the flaw being leveraged in attacks. For example, Huntress saw WSUS instances being attacked through publicly exposed default ports (8530/TCP and 8531/TCP), while Eye Security, on the other hand, saw at least one of its customers successfully breached. In its security advisory, Microsoft still keeps the flaw labeled as “exploitation more likely”, “not publicly disclosed”, and “not exploited”.

Shadowserver Foundation, the internet watchdog group tracking the abuse of various vulnerabilities, claims that there are more than 2,800 WSUS instances with default ports exposed online. Some of them are most likely patched already, so the attack surface is probably a little smaller than that.

Now, CISA added CVE-2025-59287 to KEV, giving Federal Civilian Executive Branch (FCEB) agencies until November 14 to patch up, or stop using the vulnerable product altogether.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.