Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Aussie cyber agency releases alert over critical RCE flaw as hackers exploit vulnerability hours after Microsoft releases emergency out-of-band patch.
Both the Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) warned of a critical remote code execution (RCE) vulnerability in the Windows Server Update Service over the weekend.
Microsoft was forced to release an out-of-band patch to address the flaw after a previous update failed to fully mitigate the issue.
“This vulnerability involves deserialisation of untrusted data in WSUS, which could enable an unauthenticated actor to achieve remote code execution with system privileges,” the ACSC said over the weekend.
“The ASD’s ACSC recommends that organisations take immediate action to address affected products.”
The vulnerability – CVE-2025-59287 – was one of two vulnerabilities recently added to CISA’s Known Exploited Vulnerability Catalog on 24 October. The vulnerability has a CVSS score of 9.8 out of 10, making it a critical issue, and it is present in the Microsoft Windows Server Update Service in Windows Server (versions 2012, 2016, 2019, 2022 and 2025).
“Australian organisations should review their networks for use of vulnerable instances of the Windows Server Update Service (WSUS), and consult the Microsoft Security Update guide for mitigation advice,” the ACSC said.
Benjamin Harris, CEO of cyber security firm watchTowr, told Cyber Daily that he was already seeing indiscriminate, in-the-wild exploitation of the vulnerability as of 25 October.
“Exploitation of this flaw is indiscriminate. If an unpatched WSUS instance is online, at this stage it has likely already been compromised.” Harris said.
“There really is no legitimate reason in 2025 to have WSUS accessible from the internet – any organisation in that situation likely needs guidance to understand how they ended up in this position.
“We’ve observed exposure in 8,000+ instances, including extremely sensitive, high-value organisations. This isn’t limited to low-risk environments – some of the affected entities are exactly the types of targets attackers prioritise.
Harris noted that in this case, organisations exposed by the vulnerability had about 10 days to address the issue before exploitation began to ramp up.
“For a vulnerability that triggered alerts and signalled it would likely attract threat actor attention, this should serve as a reminder: organisations using real threat intelligence or risk-based prioritisation frameworks likely avoided impact,” Harris said.
“With 60,000+ CVEs every year, understanding where to focus remediation efforts remains critical.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
