The Cybersecurity and Infrastructure Security Agency issued updated guidance on a critical vulnerability in Windows Server Update Service and urged security teams to immediately apply patches to their systems and check for potential compromise.
The vulnerability, tracked as CVE-2025-59287, involves deserialization of untrusted data in WSUS, a tool widely used by IT administrators to deploy Microsoft product updates.
Security researchers have been tracking a series of exploitation attempts in recent weeks. An initial patch issued in mid-October fell flat, and Microsoft issued an emergency out-of-band security update late last week.
CISA on Wednesday issued additional guidance on how to check for potential compromise and warned security teams to take the threat very seriously.
“The threat from these actors is real—organizations should immediately apply Microsoft’s out-of-band patch and follow mitigation guidance to protect their systems,” Nick Andersen, executive assistant director for the Cybersecurity Division at CISA told Cybersecurity Dive.
Security teams need to identify servers vulnerable to exploitation, including those enabled with WSUS and ports open to TCP 8530/8531. CISA provided specific PowerShelll commands designed to check if WSUS is in an installed state.
CISA said the emergency patch should be installed and organizations should check for suspicious activity and child processes spawned with SYSTEM-level permissions.
CISA previously added the flaw to its Known Exploited Vulnerabilities catalog. It said on Saturday that no federal agencies had been compromised.
Google Threat Intelligence Group on Monday told Cybersecurity Dive it was investigating attacks across multiple organizations. Hackers have been doing reconnaissance activities after they breach systems and have exfiltrated data, Google researchers said.
Researchers at Eye Security told Cybersecurity Dive they suspect more than one threat group is targeting organizations.
Huntress, meanwhile, reported last week that several of its customers had been impacted by the exploitation attempts. Huntress researchers told Cybersecurity Dive the activity waned quickly and they have not seen any follow-on attempts.
Anderson added that organizations should not expose WSUS ports (8530/8531) to the internet. If the ports have been exposed, organizations need to check for indications of a potential compromise.
