Everybody's warning about critical Windows Server WSUS bug exploits ... but Microsoft's mum

Saturday 25th October 2025 02:30 GMT IGotOut

Soooo...

One company says they found 25 exposed, the other 8000+?

Also how many are honeypots?

I can't think of a single reason to have a WSUS server with those ports open facing outwards.

13 2 Reply
1. Saturday 25th October 2025 11:49 GMT theblackhand
  
  Re: Soooo...
  
  My guess is that they tried to allow RDP access to their server, but couldn't get it working with a single port so allowed full access to all port/protocols...
  
  10 0 Reply
  1. Saturday 25th October 2025 22:36 GMT Justin Pasher
    
    Re: Soooo...
    
    Our they were lazy and didn't want to mess around with VPNs for the workstations on their domain. They want them to always have access to the update server even if they're not on the private corporate network.
    
    Still a horrible idea.
    
    4 0 Reply
  2. Monday 27th October 2025 18:34 GMT Bitbeisser
    
    Re: Soooo...
    
    Any IT person opening up a port like this to the Internet needs to be fire, immediately!
    
    And those that open up a large range of ports because of being lazy, should first be tarred, feathered and slowly drawn to quarters, before being fired...
    
    1 0 Reply
Saturday 25th October 2025 02:30 GMT BinkyTheMagicPaperclip

There wasn't any valid reason in 2002 either..

Been a while since I maintained WSUS, would have been up to 2010 at the latest but it was never exposed to the Internet. Neither was any other domain service.

You could sort of get away with less than optimal security configuration until the late 90s, after that you took your life into your hands. I miss some of the sysadmin side, I definitely don't miss securing networks - complex, difficult, and thankless.

15 0 Reply
1. Saturday 25th October 2025 07:19 GMT Paul Crawford
  
  Re: There wasn't any valid reason in 2002 either..
  
  From the late 90s onwards most homes were 'protected' by the use of NAT - you had to specifically forward a port to allow an incoming connection. Let us not mentioned the abomination that is UPnP...
  
  But I guess many enterprises had an IPv4 block so they would just be open by default, which seems utterly bonkers now!
  
  8 0 Reply
2. Saturday 25th October 2025 08:49 GMT david 12
  
  Re: There wasn't any valid reason in 2002 either..
  
  Off hand, the obvious reason for having WSUS exposed to the internet is if you have already been broken, and they are using WSUS as the malware channel.
  
  Apart from that, nothing.
  
  2 0 Reply
Saturday 25th October 2025 02:31 GMT NapTime ForTruth

Critical 9.8-rated vulnerability in a Microsoft product or service, you say? Microsoft silent on the topic, you say? How very...rare. And unusual, too. Most shocking, to be sure.

It's almost like they don't care, or maybe they don't understand what's happening.

Maybe they'll consult with a technology company for more information, or check in with their completely reliable and totally trustworthy AI to solve this dilemma. Or is it a conundrum? Maybe the AI will cover that, too.

Regardless, best of luck to them in their future endeavors.

6 4 Reply
1. Saturday 25th October 2025 18:13 GMT HereIAmJH
  
  MS Hand wringing
  
  Maybe I'm just getting old, but I'm having trouble getting worked up over this. Only a fool would open unnecessary ports to the Internet, so they have to get on my local network first. I'm the only one on my local net, so I'm sleeping just fine knowing WSUS has a vulnerability. I'll continue to use it as I wait for my Win10 machines to die of old age.
  
  BTW, you are aware that WSUS is deprecated as well. If you are a large or high risk environment you should already be migrating off of it.
  
  7 0 Reply
  1. Saturday 25th October 2025 19:36 GMT Richard 12
    
    Re: MS Hand wringing
    
    To what, though?
    
    If you're a high risk environment, you don't want your clients directly contacting the Internet, because it massively increases your attack surface. So you can't use InTune.
    
    As far as I know, there is nothing to replace WSUS - the one or two on-prem servers that can see the Internet, which hold and distribute Windows updates to clients that cannot.
    
    4 0 Reply
    1. Saturday 25th October 2025 22:09 GMT Anonymous Coward
      
      Re:you don't want your clients directly contacting the Internet
      
      Don't know of too many organisations who are directly connecting to the internet ?
      
      Intune works just fine through proxy servers.
      
      0 4 Reply
Saturday 25th October 2025 05:12 GMT David 132

“Everybody's warning about critical Windows Server WSUS bug exploits ... but Microsoft's mum”

Well, yes. Mrs Microsoft is very proud of her child and won’t say a harsh word against him.

16 1 Reply
1. Saturday 25th October 2025 15:51 GMT Will Godfrey
  
  Re: “Everybody's warning about critical Windows Server WSUS bug exploits ... but Microsoft's mum”
  
  Ha! Beat me too it.
  
  However, just 'cos she's not saying anything doesn't mean she doesn't have an opinion.
  
  3 0 Reply
Saturday 25th October 2025 07:38 GMT Pascal Monett

"critical Windows Server WSUS bug exploits"

So, just another Monday then.

6 2 Reply
1. Saturday 25th October 2025 15:30 GMT Steve Davies 3
  
  Re: "critical Windows Server WSUS bug exploits"
  
  So,
  
  Just another 24 hour period ending in DAY
  
  That seems to be a bit better.
  
  3 0 Reply
Saturday 25th October 2025 15:54 GMT Anonymous Coward

T1

T1

0 4 Reply
Sunday 26th October 2025 05:16 GMT ecarlseen

It doesn't have to be open to the Internet...

...if an attacker has virtually any sort of presence inside of their network. Typically there are fairly few restrictions with regards to what kinds of systems can talk to WSUS. Traveling laptops with VPN connections, anyone?

5 0 Reply
1. Sunday 26th October 2025 17:10 GMT storner
  
  Re: It doesn't have to be open to the Internet...
  
  My thoughts exactly. If you have any kind of foothold inside, then there is nothing like the ability to install your own software if you want to do lateral movement and persistence.
  
  1 0 Reply
Sunday 26th October 2025 20:33 GMT kmorwath

Automatic deserialization....

... how to look for troubles in Java, .NET and Python.

Often it's better to avoid it and process data explicitly - and raise exceptions for unexpected ones.

2 2 Reply
Monday 27th October 2025 07:48 GMT kmorwath

It looks Microsoft reissued the whole October update

My lab servers installed KB5070883 and rebooted over the weekned - all of them. not just the WSUS one (they are set to automatically download and install updates when available - exactly to test them). KB5070883 is a re-issued cumulative update. Why the whole of it, and not just a fix for WSUS?

Reading the KB documentation, the issue is in the synchronization error handling - it has been disabled wholly to fix it (temporarly, I hope).

0 1 Reply
Monday 27th October 2025 08:09 GMT Anonymous Anti-ANC South African Coward

More Microsoft goodness for everybody.

0 0 Reply
Saturday 1st November 2025 21:41 GMT Dwarf

Microsoft insecurity

All Microsoft products seem to rely on a combination of security by obscurity, good luck, defaults that make things open to all and the hope that people will not install them in a bad way.

However, the engineer / support person / person given the opportunity to prove themself, even though they don't have the relevant background experience, will give it a go. They tend to stop when it works and declare victory. They don't stop when its secure and installed in line with the documentation. This is why mistakes happen and the bad guys know this.

Back in the olden days, there were different teams, networks, server, client, storage, perimiter security teams and one team would help prevent another from making a bad decision.

But now, with cloud everwhere, a single person can deploy a whole stack of network, server, client and storage and nobody will ask the question of why or how on security.

This is why things go wrong.

0 0 Reply