Microsoft released an update to address a critical remote code execution vulnerability impacting Windows Server Update Service (WSUS) in Windows Server (2012, 2016, 2019, 2022, and 2025), CVE-2025-59287, that a prior update did not fully mitigate. 

CISA strongly urges organizations to implement Microsoft’s updated Windows Server Update Service (WSUS) Remote Code Execution Vulnerability guidance, ¹ or risk an unauthenticated actor achieving remote code execution with system privileges. Immediate actions for organizations with affected products are:

1. Identify servers that are currently configured to be vulnerable to exploitation (i.e., affected servers with WSUS Server Role enabled and ports open to 8530/8531) for priority mitigation.
2. Apply the out-of-band security update released on October 23, 2025, to all servers identified in Step 1. Reboot WSUS server(s) after installation to complete mitigation. If organizations are unable to apply the update immediately, system administrators should disable the WSUS Server Role and/or block inbound traffic to ports 8530/8531, the default listeners for WSUS, at the host firewall. Of note, do not undo either of these workarounds until after your organization has installed the update.
3. Apply updates to remaining Windows servers. Reboot servers after installation to complete mitigation.

CISA added CVE-2025-59287 to its Known Exploited Vulnerabilities (KEV) Catalog on October 24, 2025.

Disclaimer

Note: CISA may update this Alert to reflect new guidance issued by CISA or other parties. 

Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at contact@cisa.dhs.gov or (888) 282-0870.

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

Notes

1. Microsoft.com, Windows Server Update Service (WSUS) Remote Code Execution Vulnerability, accessed October 24, 2025, CVE-2025-59287 - Security Update Guide - Microsoft - Windows Server Update Service (WSUS) Remote Code Execution Vulnerability.

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2025-54236 Adobe Commerce and Magento Improper Input Validation Vulnerability
• CVE-2025-59287 Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability 

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2025-61932 Motex LANSCOPE Endpoint Manager Improper Verification of Source of a Communication Channel Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released 10 Industrial Control Systems (ICS) advisories. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2022-48503 Apple Multiple Products Unspecified Vulnerability 

• CVE-2025-2746 Kentico Xperience Staging Sync Server Digest Password Authentication Bypass Vulnerability

• CVE-2025-2747 Kentico Xperience Staging Sync Server None Password Type Authentication Bypass Vulnerability

• CVE-2025-33073 Microsoft Windows SMB Client Improper Access Control Vulnerability 

• CVE-2025-61884 Oracle E-Business Suite Server-Side Request Forgery (SSRF) Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. 

CISA released thirteen Industrial Control Systems (ICS) advisories on October 16, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-289-01 Rockwell Automation FactoryTalk View Machine Edition and PanelView Plus 7
• ICSA-25-289-02 Rockwell Automation FactoryTalk Linx
• ICSA-25-289-03 Rockwell Automation FactoryTalk ViewPoint
• ICSA-25-289-04 Rockwell Automation ArmorStart AOP
• ICSA-25-289-05 Siemens Solid Edge
• ICSA-25-289-06 Siemens SiPass Integrated
• ICSA-25-289-07 Siemens SIMATIC ET 200SP Communication Processors
• ICSA-25-289-08 Siemens SINEC NMS
• ICSA-25-289-09 Siemens TeleControl Server Basic
• ICSA-25-289-10 Siemens HyperLynx and Industrial Edge App Publisher
• ICSA-25-289-11 Hitachi Energy MACH GWS
• ICSA-25-224-03 Schneider Electric EcoStruxure (Update A)
• ICSA-24-121-01 Delta Electronics CNCSoft-G2 DOPSoft (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

Today, CISA issued Emergency Directive ED 26-01: Mitigate Vulnerabilities in F5 Devices to direct Federal Civilian Executive Branch agencies to inventory F5 BIG-IP products, evaluate if the networked management interfaces are accessible from the public internet, and apply newly released updates from F5. 

A nation-state affiliated cyber threat actor has compromised F5 systems and exfiltrated data, including portions of the BIG-IP proprietary source code and vulnerability information, which provides the actor with a technical advantage to exploit F5 devices and software. This poses an imminent threat to federal networks using F5 devices and software.

Key Actions Required:

• Inventory: Identify all instances of F5 BIG-IP hardware devices and F5OS, BIG-IP TMOS, Virtual Edition, BIG-IP Next, BIG-IP IQ software, and BNK / CNF.
• Harden Public-Facing Hardware and Software Appliances: Identify if physical or virtual BIG-IP devices exposed to the public internet provide public access to the networked management interface.
• Update Instances of BIG-IP Hardware and Software Applications: Apply the latest vendor updates by Oct. 22, 2025, for the following products: F5OS, BIG-IP TMOS, BIG-IQ, and BNK / CNF— validate the F5 published MD5 checksums for its software image files and other F5 downloaded software. For other devices, update with the latest software release by Oct. 31, 2025, and apply the latest F5-provided asset hardening guidance.
• Disconnect End of Support Devices: Disconnect all public-facing F5 devices that have reached their end-of-support date. Report mission-critical exceptions to CISA.
• Mitigate Against Cookie Leakage: If CISA notifies an agency of a BIG-IP cookie leakage vulnerability, the agency shall follow CISA’s accompanying mitigation instructions.
• Report: Submit a complete inventory of F5 products and actions taken to CISA by 11:59 p.m. EDT, Oct. 29, 2025.

For detailed guidance, refer to the full Emergency Directive ED 26-01.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2025-54253 Adobe Experience Manager Forms Code Execution Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released one Industrial Control Systems (ICS) advisory on October 14, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-287-01 Rockwell Automation 1715 EtherNet/IP Comms Module

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2016-7836 SKYSEA Client View Improper Authentication Vulnerability
• CVE-2025-6264 Rapid7 Velociraptor Incorrect Default Permissions Vulnerability
• CVE-2025-24990 Microsoft Windows Untrusted Pointer Dereference Vulnerability
• CVE-2025-47827 IGEL OS Use of a Key Past its Expiration Date Vulnerability
• CVE-2025-59230 Microsoft Windows Improper Access Control Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2021-43798 Grafana Path Traversal Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released two Industrial Control Systems (ICS) advisories on October 7, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-280-01 Delta Electronics DIAScreen
• ICSA-25-226-31 Rockwell Automation 1756-EN4TR, 1756-EN4TRXT (Update B)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2025-27915 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2010-3765 Mozilla Multiple Products Remote Code Execution Vulnerability
• CVE-2010-3962 Microsoft Internet Explorer Uninitialized Memory Corruption Vulnerability
• CVE-2011-3402 Microsoft Windows Remote Code Execution Vulnerability
• CVE-2013-3918 Microsoft Windows Out-of-Bounds Write Vulnerability
• CVE-2021-22555 Linux Kernel Heap Out-of-Bounds Write Vulnerability
• CVE-2021-43226 Microsoft Windows Privilege Escalation Vulnerability
• CVE-2025-61882 Oracle E-Business Suite Unspecified Vulnerability 

These types of vulnerabilities are frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

• CVE-2014-6278 GNU Bash OS Command Injection Vulnerability
• CVE-2015-7755 Juniper ScreenOS Improper Authentication Vulnerability
• CVE-2017-1000353 Jenkins Remote Code Execution Vulnerability
• CVE-2025-4008 Smartbedded Meteobridge Command Injection Vulnerability
• CVE-2025-21043 Samsung Mobile Devices Out-of-Bounds Write Vulnerability

These types of vulnerabilities are frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise. 

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA released two Industrial Control Systems (ICS) advisories on October 2, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-275-01 Raise3D Pro2 Series 3D Printers
• ICSA-25-275-02 Hitachi Energy MSM Product

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

CISA released ten Industrial Control Systems (ICS) advisories on September 30, 2025. These advisories provide timely information about current security issues, vulnerabilities, and exploits surrounding ICS.

• ICSA-25-273-01 MegaSys Enterprises Telenium Online Web Application
• ICSA-25-273-02 Festo SBRD-Q/SBOC-Q/SBOI-Q
• ICSA-25-273-03 Festo CPX-CEC-C1 and CPX-CMXX
• ICSA-25-273-04 Festo Controller CECC-S,-LK,-D Family Firmware
• ICSA-25-273-05 OpenPLC_V3
• ICSA-25-273-06 National Instruments Circuit Design Suite
• ICSA-25-273-07 LG Innotek Camera Multiple Models
• ICSA-25-063-02 Keysight Ixia Vision Product Family (Update A)
• ICSA-22-298-02 HEIDENHAIN Controller TNC (Update A)
• ICSA-25-226-26 Rockwell Automation FLEX 5000 I/O (Update A)

CISA encourages users and administrators to review newly released ICS advisories for technical details and mitigations.

The Cybersecurity and Infrastructure Security Agency (CISA) announced that it has transitioned to a new model to better equip state, local, tribal, and territorial (SLTT) governments to strengthen shared responsibility nationwide. CISA is supporting our SLTT partners with access to grant funding, no-cost tools, and cybersecurity expertise to be resilient and lead at the local level. 

CISA’s cooperative agreement with the Center for Internet Security (CIS) will reach its planned end on September 30, 2025. This transition reflects CISA’s mission to strengthen accountability, maximize impact, and empower SLTT partners to defend today and secure tomorrow.

Support for SLTTs includes:

• Access to Grant Funding from the Department of Homeland Security (DHS), available through CISA in coordination with the Federal Emergency Management Agency (FEMA). This funding is provided via the State and Local Cybersecurity Grant Program (SLCGP) and the Tribal Cybersecurity Grant Program (TCGP).
• No-cost services and tools such as Cyber Hygiene scanning and vulnerability management
• Cybersecurity Performance Goals and the Cyber Security Evaluation Tool to prioritize and measure progress
• Regional Cybersecurity Advisors and Cybersecurity Coordinators delivering hands-on, local and virtual expertise
• Professional services including vulnerability assessments and incident response coordination
• Bi-monthly SLTT Security Operations Center calls providing timely cyber defense updates

This initiative reinforces CISA’s role as the nation’s leading cyber defense agency, protecting critical infrastructure, enabling secure communications, and empowering partners on the front lines of America’s cybersecurity.

For more information about CISA’s Cybersecurity Services for SLTT partners, visit:  CISA Cybersecurity Resources for State, Local, Tribal, and Territorial