Microsoft Issues Critical Windows Update Amid Active Attacks
▼ Summary
– Microsoft has released an emergency security update for a critical vulnerability (CVE-2025-59287) in Windows Server Update Service that allows remote code execution.
– The Cybersecurity and Infrastructure Security Agency (CISA) warns that attacks exploiting this vulnerability are already underway and has given federal agencies two weeks to apply the fix.
– Only Windows servers with the WSUS server role enabled are vulnerable, as it is not enabled by default on Windows servers.
– CISA recommends identifying vulnerable servers, applying the October 23, 2025 security update, and rebooting WSUS servers after installation to complete mitigation.
– If immediate updating is not possible, CISA advises disabling the WSUS server role and blocking inbound traffic to ports 8530 and 8531 at the host firewall as a temporary workaround.
Microsoft has released an urgent security update for Windows Server to address a critical vulnerability, designated CVE-2025-59287, which is already being actively exploited. The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that attacks are in progress, making immediate action essential for all organizations using affected systems.
This development follows closely on the heels of a recent emergency security update from Google for Chrome, highlighting a period of heightened cybersecurity alerts. CISA had already warned federal agencies to update Windows Server, Windows 10, and Windows 11 systems less than a week ago due to ongoing server message block attacks. Now, the agency has verified that a new wave of attacks is exploiting a flaw in the Windows Server Update Service (WSUS). This vulnerability could allow an unauthenticated attacker to remotely execute malicious code with system-level privileges over the network.
Microsoft clarified that the WSUS Server Role is not enabled by default on Windows servers. Only servers with this specific role activated are vulnerable if the patch is not installed. The company stated, “Windows servers that do not have the WSUS server role enabled are not vulnerable to this vulnerability. If the WSUS server role is enabled, the server will become vulnerable if the fix is not installed before the WSUS server role is enabled.”
In response, CISA issued a binding operational directive, giving certain federal agencies a strict two-week deadline to apply the fix. The agency strongly urges all organizations to follow Microsoft’s updated guidance for the WSUS Remote Code Execution Vulnerability to prevent potential system compromise.
CISA recommends a specific course of action for system administrators:
First, identify any servers currently configured in a way that makes them vulnerable to exploitation.
Next, apply the out-of-band security update that Microsoft released on October 23, 2025, to all identified servers.
After installing the update, a reboot of the WSUS servers is required to complete the mitigation process.
For organizations unable to apply the update immediately, it is advised to disable the WSUS server role entirely. Additionally, blocking inbound traffic to ports 8530 and 8531 at the host firewall can serve as a temporary protective measure.
Microsoft emphasized that administrators should not reverse these workarounds until after the official update has been successfully installed. While addressing this issue may require immediate attention, even outside of normal business hours, taking these steps is crucial for maintaining network security.
(Source: Forbes)
