Fortified Central Command
Security Incident

Threat Bulletin

Update: WSUS Undergoes Emergency Patch Procedure

Alert essentials:

A recently patched vulnerability in WSUS poses a critical risk to enterprise networks. If successfully exploited, the remote code execution allows an attacker to gain full control over the server used to secure systems.

The original patch for CVE-2025-52987 wasn’t complete, and a new out-of-cycle fix has been released. Deploy servers as soon as possible.

EMAIL TEAM

Detailed threat description:

Remember that patch you recently applied to the WSUS server? The one from Microsoft’s October 2025 patch release that fixed a critical remote code execution (RCE) vulnerability that could be wormable? Yeah, that KB doesn’t work, but a new fix is available and should be deployed with priority.

A remote code execution affects all Microsoft Windows servers running WSUS if the WSUS Server Role is enabled. On-prem versions of Windows 2012 server through Windows Server 2025 received updated patches for the legacy serialization tool on October 23rd, as the original fix wasn’t comprehensive.

Technical details of the weakness have been published, proof-of-concept is available, and researchers suspect that exploitation is underway. Organizations are strongly advised to prioritize deploying the new fixes via Windows Update or Windows Server Update Services (WSUS). A standalone package is available on the Microsoft Update catalog website. The latest releases do not require installing any earlier updates, as they supersede all previous patches. However, a server restart is required after applying the KBs.

Considering the potential impact of this weakness and possible exploitation, if a new patch cannot be applied immediately, consider these mitigations/workarounds:

Disable the WSUS Server role if it is enabled. Windows servers that do not have the WSUS server role enabled are not vulnerable to this vulnerability
Block inbound traffic to ports 8530 and 8531 on the host firewall in addition to blocking at the perimeter firewall to render WSUS non-operational
Fortified Health Security is monitoring this situation and will release updates as they become available.

Impacts on healthcare organizations:

As an unauthenticated remote code execution vulnerability, successful exploitation could allow attackers to execute arbitrary code on affected systems without requiring any authentication. This poses a severe risk for supply-chain attacks through the Windows Update infrastructure.

Affected Products / Versions

  • Windows Server 2012 (Server Core installation) x64-based Systems 6.2.9200.0 <2.9200.25722-Tenable plugin #270366
  • Windows Server 2012 R2 (Server Core installation) x64-based Systems 6.3.9600.0 <3.9600.22824- Tenable plugin #270367
  • Windows Server 2012 R2 x64-based Systems 6.3.9600.0 <3.9600.22824- Tenable plugin #270366- Tenable plugin #270367
  • Windows Server 2012 x64-based Systems 6.2.9200.0 <2.9200.25722
  • Windows Server 2016 (Server Core installation) x64-based Systems 10.0.14393.0 <0.14393.8519- Tenable plugin #270384
  • Windows Server 2016 x64-based Systems 10.0.14393.0 <0.14393.8519- Tenable plugin #270384
  • Windows Server 2019 (Server Core installation) x64-based Systems 10.0.17763.0 <0.17763.7919- Tenable plugin #270378
  • Windows Server 2019 x64-based Systems 10.0.17763.0 <0.17763.7919- Tenable plugin #270378
  • Windows Server 2022 x64-based Systems 10.0.20348.0 <0.20348.4294- Tenable plugin #270390
  • Windows Server 2022, 23H2 Edition (Server Core installation) x64-based Systems 10.0.25398.0 <0.25398.1913- Tenable plugin #270390
  • Windows Server 2025 (Server Core installation) x64-based Systems 10.0.26100.0 <0.26100.6899- Tenable plugin #270371
  • Windows Server 2025 x64-based Systems 10.0.26100.0 <0.26100.6899- Tenable plugin #270371

CVEs

  • CVE-2025-59287- CWE-502- CVSS 9.8

KBs
KB5070881, KB5070879, KB5070884, KB5070883, KB5070882, KB5070886, KB5070887

Recommendations

Engineering recommendations:

  • Identify all WSUS servers and their exposure
  • Immediately apply patches
  • Block external/untrusted access to WSUS management ports via perimeter and host firewalls
  • Increase monitoring and retention for WSUS logs and replication events
  • Search for indicators of compromise: unexpected package approvals, new content in WSUS directories, or anomalous replication patterns
  • Segment WSUS servers from general network segments and restrict replication to authenticated, internal links

Leadership / Program recommendations:

  • Document incident response steps and prepare playbooks for similar update‑infrastructure attacks
  • Review update‑infrastructure architecture for single points of trust and consider advanced hardening

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References:

Share

Back To All
Contact Us
Fortified Central Command
Security Incident