{"id":150222,"date":"2025-10-28T21:04:15","date_gmt":"2025-10-28T21:04:15","guid":{"rendered":"https:\/\/www.europesays.com\/ie\/150222\/"},"modified":"2025-10-28T21:04:15","modified_gmt":"2025-10-28T21:04:15","slug":"warnings-mount-over-windows-server-update-services-hacks","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/ie\/150222\/","title":{"rendered":"Warnings Mount Over Windows Server Update Services Hacks"},"content":{"rendered":"

Thousands of Windows Server Update Services Observed Online<\/p>\n

Akshaya Asokan<\/a> (asokan_akshaya<\/a>) \u2022
\n October 28, 2025 \u00a0 \u00a0 <\/p>\n

\"Warnings
\n Image: bluestork\/Shutterstock <\/p>\n

Warnings over hackers exploiting a Windows Server Update have compounded since Microsoft rushed out a patch Friday against a flaw allowing unauthenticated attackers to execute arbitrary code.<\/p>\n

See Also:<\/b> The Rise of Agentic Commerce: Building Secure, Trusted Payments for the AI-Driven Economy<\/a><\/p>\n

The flaw, tracked as CVE-2025-59287<\/a> is a deserialization of untrusted data in the Windows Server Update Service. Microsoft describes<\/a> the flaw’s source as a “legacy serialization mechanism.” Windows Server Update Services, a tool for managing Microsoft’s many updates, itself is no longer under active development<\/a>.<\/p>\n

The Cybersecurity and Infrastructure Security Agency added<\/a> the vulnerability to its Known Exploited Vulnerabilities catalog on Friday. Cybersecurity firms Eye Security<\/a> and Palo Alto Networks Unit 42<\/a> say they’ve observed active hacks and that thousands of Windows Server Update Services appear exposed to the internet. Unit 42 characterized the attacks as focused on reconnaissance likely as “a precursor to broader network compromise.”<\/p>\n

By compromising a single server, an attacker could take over the entire patch distribution system to gain system-level control to potentially carry out an internal supply chain attack, said Justin Moore, senior manager of threat intel research at Unit 42.<\/p>\n

“They can push malware to every workstation and server in the organization, all disguised as a legitimate Microsoft update. This turns the trusted service into a weapon of mass distribution,” he said.<\/p>\n

The Canadian Center for Cybersecurity<\/a> and the Australian Cyber Security Centre<\/a> also published alerts about the flaw.<\/p>\n

Microsoft attempted to head off hackers exploiting this flaw through a normal Patch Tuesday fix pushed out on Oct. 15. The patch didn’t fully resolve the issue – meaning that a proof of concept<\/a> published by HawkTrace shortly afterward had a greater reach than it otherwise might have had.<\/p>\n

“In the brief window between the flawed initial patch and the emergency fix, threat actors weaponized this vulnerability almost instantaneously, granting them a critical head start before the complete remediation was available,” Moore said. <\/p>\n

Attackers can use multiple attack paths including one that takes advantage of how Windows Server Update Services deserializes AuthorizationCookie objects. That attack method allows a threat actor to send “malicious encrypted cookies to the GetCookie() endpoint,” HawkTrace wrote in a follow up blog post. Another path is through ReportingWebService, through which unsafe deserialization can be triggered via SoapFormatter.<\/p>\n

“The vulnerability is particularly concerning because its target, WSUS, is often neglected,” Moore said. “Many IT teams adopt a ‘set it and forget it’ posture, leaving it a vulnerable target. A WSUS server should never be exposed to the Internet, it’s an internal patch system, not a public target.”<\/p>\n