Sign in / up

back to article WSUS attacks hit 'multiple' orgs as Google and other infosec sleuths ring Redmond’s alarm bell

More threat intel teams are sounding the alarm about a critical Windows Server Update Services (WSUS) remote code execution vulnerability, tracked as CVE-2025-59287 and now under active exploitation, just days after Microsoft pushed an emergency patch and the US Cybersecurity and Infrastructure Security Agency added the bug to …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    What?

    If you have WSUS exposed to the internet and don't require a client certificate, you and your employer deserve it.

    15 0 Reply
    1. Anonymous Anti-ANC South African Coward Silver badge
      Reply Icon

      Re: What?

      Glad my WSUS are not exposed to the wibbly wobbly web at all... one less worry for me then.

      Maybe this can be used as a honeypot - something to lure in ne'er-do-wells and then tarpit them...

      5 0 Reply
    2. kmorwath
      Reply Icon

      Re: What?

      The largest attack surface is always the lazy sysadmin.

      7 1 Reply
      1. Jou (Mxyzptlk) Silver badge
        Reply Icon

        Re: What?

        lazydumb

        TIFIFY...

        1 1 Reply
    3. DCdave
      Reply Icon

      Re: What?

      True, but since it's cookie-based and works on both HTTP and HTTPS ports, it's likely the requirement for client certificates will not protect against the vulnerability. Indeed Microsoft says that WSUS should be disabled or blocked until the patch is installed.

      1 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: What?

        If you are using client-basef certificates to authentic access to the website, failure to authenticate means no TLS connection to send HTTP commands.

        No HTTP commands means no exploitable web server.

        0 1 Reply
        1. Anonymous Coward
          Reply Icon
          Anonymous Coward

          Re: What?

          WSUS requires both HTTP and HTTPS ports to be open (unless not using HTTPS at all).

          0 0 Reply
  2. kmorwath

    The bug is in the synchronization error processing

    When processing XML data - which means is really in some .NET libraries, maybe some ancient one, since WSUS saw very little improvements over the years.

    This "fix" disabled error processing completely - until it's fully fixed you can't see synch errors any longer. That means the underlying bug is not fixed yet. As long as it is something used by WSUS only, the workaround can work. It it is used by some other important process, it may open other attack paths.

    0 1 Reply
    1. Jou (Mxyzptlk) Silver badge
      Reply Icon

      Re: The bug is in the synchronization error processing

      It is not the XML, that is fine. One of the few things Microsoft implemented surprisingly good. The famous bobby tables catches after the XML decoding.

      1 0 Reply
  3. Anonymous Coward
    Anonymous Coward

    Why would you expose WSUS directly to the web? Doing that is asking for trouble.

    We don't use it any more, but when we did it was behind a firewall.

    3 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon