CISA releases warning about Windows Server Update Service bug, orders agencies to patch

Federal agencies and businesses are being urged to immediately patch a vulnerability affecting a widely used Windows update tool after experts warned that it is being exploited by hackers. 

The Cybersecurity and Infrastructure Security Agency (CISA) sent out an urgent alert on Friday evening about CVE-2025-59287 — a vulnerability Microsoft included in its monthly set of security updates about two weeks ago. 

The vulnerability affects the Windows Server Update Service (WSUS) in Windows Server versions 2012, 2016, 2019, 2022 and 2025. CISA said a “prior update did not fully mitigate” the vulnerability, which carries a severity score of 9.8 out of 10. 

WSUS is used by IT teams to manage updates for Microsoft products, offering users a way to distribute updates published through Microsoft Update.

Nick Andersen, executive assistant director for the cybersecurity division at CISA, said that while there is no evidence of compromise within federal networks, “the threat from these actors is real.”

“Organizations should immediately apply Microsoft’s out-of-band patch and follow mitigation guidance to protect their systems,” he said in a statement on Saturday.

Cybersecurity expert Benjamin Harris told Recorded Future News on Friday that his team at security firm watchTowr was seeing “indiscriminate, in-the-wild exploitation” of the bug. Incident responders at Huntress and Palo Alto Network’s Unit42 also confirmed that they have seen exploitation of the bug. 

On October 14, Microsoft said the bug had not been exploited but put “exploitation more likely” in the advisory. The company updated the page on Friday, providing guidance for how customers can patch the vulnerability. 

Microsoft noted that it updated parts of the advisory “after confirming the availability of publicly disclosed [proof of concept] code for this CVE.” A Microsoft spokesperson said the company “re-released this CVE after identifying that the initial update did not fully mitigate the issue.”

CISA ordered all federal agencies to patch the bug by November 14 but said in the Friday advisory that it “strongly urges organizations to implement Microsoft’s updated Windows Server Update Service (WSUS) Remote Code Execution Vulnerability guidance, or risk an unauthenticated actor achieving remote code execution with system privileges.” 

CISA also said organizations with affected products should take several immediate actions including identifying servers that may be vulnerable to exploitation, applying updates and rebooting the servers. 

For organizations that cannot apply the update immediately, they should block inbound traffic to certain ports. 

Harris said on Friday that exploitation of the bug has been indiscriminate so far. 

“If an unpatched WSUS instance is online, at this stage it has likely already been compromised. There really is no legitimate reason in 2025 to have WSUS accessible from the Internet — any organization in that situation likely needs guidance to understand how they ended up in this position,” he said. 

He added that he has seen thousands of instances exposed to the internet, including several “extremely sensitive, high-value organizations.” 

“This isn’t limited to low-risk environments – some of the affected entities are exactly the types of targets attackers prioritize,” he said. 

Huntress published a blog post on Friday that said at least four of its customers were attacked through the vulnerability after exploitation attempts began on Thursday evening. 

Two weeks ago, Immersive’s senior director of threat research, Kev Breen, warned that WSUS is a trusted Windows service that is designed to update files across the file system. The bug would allow an attacker to “have free rein over the operating system and could potentially bypass some [endpoint detection and response] detections that ignore or exclude the WSUS service.”

“Whilst not being actively exploited in the wild, one for patching sooner rather than later is,  ironically, the Windows update service (WSUS) itself,” he said at the time.