Microsoft Security: Windows Server Update Service

We are reaching out to let you know that Windows Server Update Service is vulnerable and can be exploited via Remote Code Execution by attacker to gain unauthorized access to critical systems.

Attention constituent:

A critical vulnerability exists in Microsoft Windows Server Update Services (WSUS) that allows a remote, unauthenticated attacker to execute unauthorized code on affected systems.
The issue is caused by improper handling of untrusted data during deserialization. By sending maliciously crafted data, an attacker can trick the server into processing hidden commands, potentially resulting in complete system compromise.

Advisory Overview


Advisory Type Technical
Author Leon Strachan
Date 20 October 2025
What’s Happening


Affected Systems
  • Windows Server versions hosting WSUS prior to the latest patch release (October 2025 Security Updates).
  • Configurations where WSUS is publicly exposed or lacks network segmentation.
What this Means Attackers can run unauthorised code remotely on affected WSUS servers without needing to log in. This means that someone outside your network could potentially make the WSUS server execute harmful commands if it hasn’t been updated or properly secured.
What to Look For


Signs You May Be at Risk You may be at risk if your WSUS server has not applied Microsoft’s October 2025 Security Updates, as older versions remain vulnerable. Systems are also exposed if WSUS ports (8530 or 8531) are open to the internet or untrusted networks, allowing remote exploitation. Servers using HTTP instead of HTTPS are particularly at risk since data can be intercepted or modified in transit. Additionally, running WSUS under administrator or system accounts increases the impact of a potential compromise, whereas using least-privileged accounts reduces risk.
Signs You May Be Affected Warning signs of compromise include unusual WSUS activity, such as unexpected update approvals, unknown clients, or synchronization with unfamiliar servers. If endpoints receive corrupted or unauthorized updates, your WSUS instance may already be affected.
What to Do


Prevention
  • Apply Microsoft’s October 2025 Security Update. Install the latest security patches released by Microsoft that address this specific vulnerability.
  • Verify after patching that the WSUS server is running the updated version.
  • Ensure that WSUS is only accessible from trusted internal systems (e.g., your domain network).
  • Use HTTPS and Valid Certificates.
  • Configure WSUS to use SSL/TLS so that update traffic between WSUS and clients is encrypted, This helps prevent tampering or injection of malicious data during synchronization.
  • Run WSUS services using least-privileged accounts instead of full administrator rights.
  • Remove or disable unused administrative accounts on the WSUS host.
  • Monitor network traffic for unusual connections to or from the WSUS server.
  • Monitor WSUS logs for unusual update approval or synchronization behavior.
Mitigation
  • Isolate and scan systems that may have received updates from a potentially compromised WSUS server.
  • Block external or public internet access to WSUS ports using a firewall or access control list (ACL).
  • Monitor and Audit WSUS Activity.
  • Regularly check WSUS logs for unexpected update approvals or synchronization attempts.
  • Review Permissions and Accounts.
Official Information


Should you require additional information or further support, submit a report on our website or contact us at [email protected].

Best,

Leon Strachan
Security Operations Centre
National Computer Incident Response Team of The Bahamas

 

Scroll to Top
Skip to content