Observation Summary
A critical unauthenticated remote code execution vulnerability (CVSS 9.8) has been identified in Microsoft Windows Server Update Services (WSUS). Exploitation allows attackers to execute arbitrary code under the WSUS service context, often SYSTEM. Microsoft released an out-of-band patch on October 23, 2025, and active exploitation has been observed in the wild.
What’s Happening
- Vulnerability: Unsafe deserialization of crafted AuthorizationCookie payload in WSUS web endpoints.
- Impact: Arbitrary code execution under WSUS service context.
- Attack vector: Unauthenticated network request to WSUS endpoints.
- Patch: Microsoft issued out-of-band cumulative updates (KB5070881 / KB5070882) on October 23, 2025.
- Exploitation: Multiple vendors and CERTs report active exploitation.
Why It Matters
- High blast radius: WSUS compromise can lead to malicious update distribution, creating a supply-chain attack vector.
- Unauthenticated & low effort: No authentication or user interaction required.
- Privilege escalation: SYSTEM-level access enables lateral movement and persistence.
- Active exploitation: Listed in CISA Known Exploited Vulnerabilities; immediate risk to exposed WSUS servers.
Recommendations
Primary Action:
Apply Microsoft’s October 23, 2025, out-of-band patch immediately; validate KB installation and WSUS functionality.
If patching is delayed:
- Block inbound access to WSUS ports (8530/8531) from untrusted networks.
- Restrict WSUS to trusted VLAN or admin hosts via firewall/VPN.
- Disable WSUS role temporarily if feasible; plan alternate update distribution.
- Remove public exposure; enforce VPN/jump host with MFA for remote admin.
Detection & Monitoring:
- Hunt for unauthenticated POSTs, large AuthorizationCookie payloads, unexpected child processes (cmd.exe, powershell.exe), and encoded PowerShell commands.
- Extend IIS and WSUS log retention.
- ProArch SOC has deployed custom detection rules and is actively monitoring for IOCs.