Patch Now: CISA Releases Detections for Zero-Day WSUS Exploit

On October 29, 2025, CISA released new guidance to help organizations detect and reduce attacks exploiting CVE-2025-59287, a critical flaw in Microsoft’s WSUS. The bug allows attackers to run code on servers without logging in, giving them full system control.

Microsoft tried to fix the issue during October Patch Tuesday but later issued another update on October 23 after realizing the first fix wasn’t complete. CISA added it to its Known Exploited Vulnerabilities list shortly after. Attack activity has increased, with attackers using public tools to steal network data and credentials.

About the Vulnerability

The issue is caused by unsafe handling of data in WSUS. Only servers with the WSUS role enabled are affected, and it exposes ports 8530 and 8531. Because no user interaction or privileges are needed, attackers can quickly compromise the server and move through the network.

Organizations should first check whether WSUS is installed on their servers, using PowerShell or Server Manager. If WSUS is enabled, they need to install the October 23 update and reboot. If patching can’t happen immediately, WSUS can be temporarily disabled or blocked at the firewall.

CISA urges IT teams to actively look for signs of suspicious activity, such as unusual SYSTEM-level processes linked to WSUS services. Attackers may try to run command-line tools to gather network information and send the results to external services.

These actions may look similar to normal activity, but they should be investigated if they occur along with WSUS log errors or strange traffic going to WSUS endpoints.

Security researchers, including Huntress and Palo Alto Networks Unit 42, have provided details on how attackers are operating. Federal agencies must fix the issue by November 14, 2025, and all organizations should act quickly to secure their systems.