(TLP:CLEAR) Vulnerability Notification – CISA Sends Security Alert for Critical RCE Vulnerability in Microsoft WSUS (CVE-2025-59287)

ACTION MAY BE REQUIRED for utilities using Microsoft Windows Server Update Service (WSUS) in Windows Server 2012, 2016, 2019, 2022, and 2025. Utilities that outsource technology support may need to consult with their service providers for assistance with remediation actions.

Summary: Last week, Microsoft released out-of-band security updates to patch a high-severity Windows Server Update Service (WSUS) vulnerability (CVE-2025-59287), which has come under active exploitation in the wild. On Friday, CISA issued an alert urging organizations to implement Microsoft’s updated Windows Server Update Service (WSUS) Remote Code Execution Vulnerability guidance.

Analyst Note: WaterISAC is sending this vulnerability notification for member awareness as this high-severity vulnerability could allow an unauthenticated actor to achieve remote code execution (RCE) with system privileges. Additionally, active exploitation of this vulnerability is currently being observed by cybersecurity researchers. Organizations using affected products are urged to take immediate action.

Immediate actions include: (See CISA and Microsoft for more comprehensive guidance)

1. Identify servers that are currently configured to be vulnerable.
2. Apply the out-of-band security update released on October 23, 2025, to all servers identified in Step 1.
3. Apply updates to remaining Windows servers.

Additional Reading:

• Microsoft Releases Emergency Patch for Exploited Critical Remote Code Execution Vulnerability (CVE-2025-59287)
• Newly Patched Critical Microsoft WSUS Flaw Comes Under Active Exploitation

Incident Reporting:

WaterISAC encourages any members who have experienced malicious or suspicious activity to email an*****@*******ac.org, call 866-H2O-ISAC, or use the confidential online incident reporting form.