Hello, friend! If you use Windows Server and deploy updates via WSUS (Windows Server Update Services), you're going to want to pay attention. Microsoft has just released emergency updates to mitigate a very serious security bug, which hackers are already able to test, though they will have to do the extra work of a proof-of-concept (PoC) exploit.
Since I've used WSUS before, I understand how important it is to have a system that allows you to keep your systems updated and patched. So, let's take a moment to talk about this bug - what is it and how bad could it be, and what do you need to do to be safe.
A WSUS is a method for businesses to manage, control and deploy Windows updates to computers and servers. Instead of each computer downloading updates directly from Microsoft, you would have one server that did it for everyone.
Here are the essential details:
• The flaw only impacts systems running with the WSUS Server Role enabled.
• An attacker can use a poisoned cookie to exploit the server to run arbitrary code.
• A PoC exploit has already been released, which makes this issue even more pressing.
The bug occurs as WSUS handles some data incorrectly as it processes calls from the update agent. By exploiting this oversight, an attacker can run any code on the system.
Microsoft has provided emergency updates for all supported versions of Windows Server, specifically:
• Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025
Each version's patch has its own KB number (for example, KB5070884 for Server 2022).
These prior patches replace older updates, so you can go right to the patch without prior updates.
1. Check which of your servers are running the WSUS Server Role.
2. Apply the patches immediately and reboot your servers.
3. If you cannot patch, you will want to disable WSUS for now or block ports 8530 and 8531 on your firewall. (Just be aware that this will prevent those updates from getting to your machines.)
4. After patching, review the WSUS logs to confirm that the WSUS is operating normally.
This patch is extremely important because the bug is rated 9.8 CVSS; which qualifies as critical. Attackers could use it to establish ransomware or network attacks.
If I were still managing WSUS servers today, patching would be my top priority. Even if you do not have enough time, at least take the workaround to block the attack.
Since I've used WSUS before, I understand how important it is to have a system that allows you to keep your systems updated and patched. So, let's take a moment to talk about this bug - what is it and how bad could it be, and what do you need to do to be safe.
What is Happening With WSUS?
What Is WSUS?A WSUS is a method for businesses to manage, control and deploy Windows updates to computers and servers. Instead of each computer downloading updates directly from Microsoft, you would have one server that did it for everyone.
What Is The Problem?
Microsoft discovered a remote code execution (RCE) bug in WSUS. That means an attacker would be able to send bad data to the WSUS server and the attacker would have remote control of the WSUS server, with no password or action needed by the user.Here are the essential details:
• The flaw only impacts systems running with the WSUS Server Role enabled.
• An attacker can use a poisoned cookie to exploit the server to run arbitrary code.
• A PoC exploit has already been released, which makes this issue even more pressing.
The bug occurs as WSUS handles some data incorrectly as it processes calls from the update agent. By exploiting this oversight, an attacker can run any code on the system.
What Microsoft Did
The ResolutionMicrosoft has provided emergency updates for all supported versions of Windows Server, specifically:
• Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025
Each version's patch has its own KB number (for example, KB5070884 for Server 2022).
These prior patches replace older updates, so you can go right to the patch without prior updates.
What You Should be Doing Now
If you are using WSUS, here's what you will need to do:1. Check which of your servers are running the WSUS Server Role.
2. Apply the patches immediately and reboot your servers.
3. If you cannot patch, you will want to disable WSUS for now or block ports 8530 and 8531 on your firewall. (Just be aware that this will prevent those updates from getting to your machines.)
4. After patching, review the WSUS logs to confirm that the WSUS is operating normally.
This patch is extremely important because the bug is rated 9.8 CVSS; which qualifies as critical. Attackers could use it to establish ransomware or network attacks.
My Thoughts
When I read about this, my first thought was: "Not again!" Bugs like this in systems that process updates are alarming, compromising the ability of the system to spread malware across an entire organization.If I were still managing WSUS servers today, patching would be my top priority. Even if you do not have enough time, at least take the workaround to block the attack.
