An out-of-band (OOB) security update that patches an actively exploited Windows Server Update Service (WSUS) vulnerability has broken hotpatching on some Windows Server 2025 devices.

Cybersecurity researchers and firewall monitoring services have detected a dramatic surge in reconnaissance activity targeting Windows Server Update Services (WSUS) infrastructure. Network sensors collected from security organizations, including data from Shadowserver, show a significant increase in scans directed at TCP ports 8530 and 8531 over the past week. While some scanning activity appears connected to legitimate security research initiatives, analysts have identified additional traffic from unknown sources not associated with known research organizations, raising concerns about potential exploitation attempts. The scanning activity correlates directly with CVE-2025-59287 , a critical vulnerability in WSUS servers that enables remote code execution. Attackers can exploit this flaw by connecting to vulnerable WSUS infrastructure via either port 8530 (unencrypted) or 8531 (TLS-encrypted). Successfully establishing a connection allows threat actors to execute arbitrary scripts directly on compromised servers with no authentication requirements. Reconnaissance Followed by Full Compromise SANS analysis reveals that threat actors typically follow a two-stage attack pattern when targeting WSUS servers. The initial phase involves reconnaissance and scanning to identify  vulnerable  systems, which aligns with the recent surge in port scanning activity . Once attackers successfully identify and connect to susceptible servers, they proceed to the exploitation phase, deploying malicious scripts that grant them extensive control over the affected infrastructure. Experts emphasize that any publicly exposed WSUS server displaying characteristics of vulnerability should be presumed compromised at this stage. a significant increase in scans for port 8531/TCP The availability of sufficient technical details in public disclosures has lowered the barrier to entry for potential attackers, enabling even moderately skilled threat actors to develop and deploy exploitation code. Organizations should assume that exploitation attempts have already occurred against any systems matching the vulnerable profile that have been connected to internet-facing networks. The severity of this vulnerability demands urgent action from system administrators and security teams managing WSUS deployments. Organizations must immediately audit their network perimeter to identify any WSUS servers accessible from untrusted networks. C VE ID Vulnerability Affected Products CVSS Score CVE-2025-59287 WSUS Script Execution Windows Server Update Services (Multiple versions) 9.8 Those discovering exposed instances should implement emergency isolation procedures and conduct comprehensive forensic investigations to determine whether compromise has occurred. Organizations without immediate patch availability should implement network segmentation, restricting WSUS server access to authorized internal networks only. Advanced threat detection systems should be configured to alert on suspicious outbound connections and script execution originating from WSUS processes, as these behaviors often indicate successful compromise. Follow us on Google News , LinkedIn , and X for daily cybersecurity updates. Contact us to feature your stories. The post Hackers Actively Scanning for TCP Port 8530/8531 Linked to WSUS Vulnerability CVE-2025-59287 appeared first on Cyber Security News .

Helps defenders find their WSUS configurations in the wake of CVE-2025-59287 - mubix/Find-WSUS

How the n-day research for a suspected vulnerability in Microsoft WSUS (CVE-2025-59287) led to the surprising discovery of a new `SoapFormatter` vulnerability added by the Patch Tuesday updates of Oct...

WSUS�ɑ��݂����Ǝ㐫�����p�����A�����[�g�R�[�h���s���”\�ƂȂ��U�����������Ă����BPoC���J���ɍU�����g�債�Ă��钆�A�����̃T�[�o�����C���̂܂܉ғ����Ă����A���}�ȃp�b�`�K�p�ƃA�N�Z�X���䂪���߂����Ă����B

Active WSUS exploits, LockBit 5.0’s comeback, a Telegram backdoor, and F5’s hidden breach — this week’s biggest cyber threats.

YouTube video by 情報の灯台【パソコン】ソース有り

CISA and security researchers warn of active exploitation of CVE-2025-59287, a critical WSUS RCE vulnerability prompting emergency patching across enterprise systems.

A “prior update did not fully mitigate" a flaw in Windows Server Update Service, CISA said in an alert to federal agencies and businesses

DOJ says Trenchant boss sold secrets to Russian buyer, U.S. 'slipping' on cyber, Microsoft patches exploited Windows bug, AI browser security, and more.

Microsoft has issued an out-of-band emergency security update to address a critical vulnerability in Windows Server Update Services (WSUS) that is currently being exploited in the wild. CVE-2025-59...

Microsoft released urgent updates to address the critical WSUS RCE vulnerability CVE-2025-59287, which is under active attack.. Microsoft released an out-of-band fix for CVE-2025-59287, a critical WSUS RCE flaw (CVSS 9.8) that is under active exploitation. Researchers MEOW and Markus Wulftange of CODE WHITE GmbH reported the vulnerability. “To comprehensively address CVE-2025-59287, Microsoft has released […]

Attached: 1 image Not sure if anybody else has played with CVE-2025-59287 (out of band update for WSUS) but I just had a play in a lab - after getting RCE on the WSUS server, I was able to tamper wit...

Attackers are now exploiting a critical-severity Windows Server Update Service (WSUS) vulnerability, which already has publicly available proof-of-concept exploit code.

Today, our morning coffee was rudely interrupted by a critical alert from a customer’s Windows Server Update Services…

Microsoft Security and AI. This is not an official Microsoft blog. Click to read Rod’s Blog, by Rod Trent, a Substack publication with thousands of subscribers.

Attackers are now exploiting a critical-severity Windows Server Update Service (WSUS) vulnerability, which already has publicly available proof-of-concept exploit code.

Microsoft has released emergency security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with publicly available proof-of-concept exploit code.

Introduction: A critical, wormable vulnerability in Windows Server Update Services (CVE-2025-59287) threatens enterprise networks globally. This remote code execution flaw allows unauthenticated attackers to take complete control of WSUS servers, potentially creating a chain reaction of compromise across an organization's core update infrastructure. Learning Objectives: Understand the mechanism and severe risk posed by CVE-2025-59287. Learn how to immediately patch affected Windows Server versions and verify the patch's installation.

The U.S. CISA added Microsoft WSUS, and Adobe Commerce and Magento Open Source flaws to its Known Exploited Vulnerabilities (KEV) catalog.