US Government orders patching of critical Windows Server security issue

• CISA adds critical WSUS bug CVE-2025-59287 to its KEV catalog
• Microsoft issued emergency patch after real-world exploitation reports surfaced
• Over 2,800 WSUS servers exposed; agencies must patch by November 14

The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new bug to its Known Exploited Vulnerabilities (KEV) catalog, warning Federal agencies about in-the-wild abuse, and giving them a three-week deadline to patch.

Microsoft recently pushed an emergency patch to fix a “deserialization of untrusted data” vulnerability found in Windows Server Update Service (WSUS) - a tool allowing IT admins to manage patching computers within their network.

The flaw, tracked as CVE-2025-59287, was given a severity score of 9.8/10 (critical), as it apparently allows for remote code execution (RCE) attacks. It can be abused in low-complexity attacks, without user interaction, granting unauthenticated, unprivileged threat actors the ability to run malicious code with SYSTEM privileges ...