Threat Response – Critical Vulnerability in Windows Server Update Service
Dutch follows English
On June 17 2025, Citrix published an advisory regarding two vulnerabilities [1]. Two critical vulnerabilities in NetScaler ADC and NetScaler Gateway appliances allow attackers to gain unauthorized access to certain parts of the system and lead to an Out-of-bounds Read. We previously emailed you about these vulnerabilities and the advice to apply the patch quickly. Since then, these vulnerabilities have been abused at scale both by nation-state actors and by other actors. If you did not patch in time, you can assume your devices have been compromised and you should act accordingly.
Description
On June 17, Citrix published on the vulnerabilities in their products and made patches available. As early as June 20, a threat actor that is presumably a Chinese nation-state actor started exploiting the vulnerability in a targeted way [2]. On July 4, a public proof-of-concept exploit was published, that enabled everybody to develop exploits and scanners. Since then, numerous actors have exploited the vulnerability, and threat intel providers have used this exploitation to retro-actively spot exploitation prior to July 4, resulting in the intelligence on Chinese actors.
Impact
The impact of this vulnerability is high: it allows attackers to obtain valid session tokens and hijack existing sessions, or setup new sessions with the privileges of the users associated with the stolen tokens. Exploitation is not trivial but not too hard either.
Risk
If you did not patch your vulnerable Netscalers prior to July 4, you should assume they have been compromised. If you did not patch your vulnerable Netscalers prior to June 20 and you are potentially of interest to Chinese nation state actors, you should investigate under the assumption of compromise.
Mitigation
Follow the patching advice previously described in our TR [3].
What should you do?
If you have not patched your vulnerable Netscaler devices yet, we recommend taking them offline directly and investigating compromise of the devices and the IT they give access to. The likelihood of compromise is high at this point, and attackers who gain access through these Netscaler devices will most likely have access to systems behind that for some time now.
If you patched after June 20, we recommend that you investigate your logs for signs of compromise using published indicators [4]. Additionally, you can search for a mismatch between the IP address that started a user session and the IP address from which user sessions were used. This mismatch is an indication of a session being hijacked by an attacker.
If you spot anomalies in IP addresses in this way, or if you find signs of compromise using the recommended searches [4], we recommend that you contact our CERT for an investigation into a possible breach.
What will Northwave do?
Vulnerability Management customers will be informed in case vulnerable systems are detected in their infrastructure.
We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.
E-mail: soc@northwave-cybersecurity.com
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
Disclaimer applies, see below.
Sources
[1]: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX693420
[2]: https://doublepulsar.com/citrixbleed-2-situation-update-everybody-already-got-owned-503c6d06da9f
[4]: https://doublepulsar.com/citrixbleed-2-exploitation-started-mid-june-how-to-spot-it-f3106392aa71
Disclaimer applies, see below.
Sources
[2]: https://advisories.ncsc.nl/advisory?id=NCSC-2025-0204
On 24 October 2025, Microsoft released an additional out-of-band security patch to address a critical vulnerability in the Windows Server Update Service (WSUS), tracked under CVE-2025-59287 [1]. The initial patch for this vulnerability released on 14 October 2025 as part of “Patch Tuesday” is NOT sufficient to protect a system against exploitation. The vulnerability allows remote attackers to perform remote code execution against Windows Server hosts that have the WSUS server role enabled. Windows Server hosts with the WSUS server role enabled should be patched immediately. The NCSC described this vulnerability as NCSC-2025-0310 [2].
Description
The vulnerability tracked under CVE-2025-59287 allows an unauthorized remote attacker to perform remote code execution on a Windows Server host with the Windows Server Update Server (WSUS) role enabled. This role is not enabled by default. Exploitation of the vulnerability will allow a remote attacker to obtain SYSTEM privileges on the host, therefore allowing the attacker to execute arbitrary code as the SYSTEM user [2]. Microsoft initially released a patch for this vulnerability as part of “Patch Tuesday” on 14 October 2025, but this patch is not sufficient to remediate the vulnerability. Additionally, exploitation of this vulnerability has been observed in the wild [2].
Impact
We assess the impact of this attack as high, as exploitation of the vulnerability provides a threat actor with unauthenticated remote code execution as the SYSTEM user.
Risk
The risk level is also considered high, as exploitation of the vulnerability has been observed in the wild. Additionally, the complexity of the attack is low and proof-of-concept code is available, increasing the risk of exploitation [2].
Mitigation
To mitigate the vulnerability, please install the out-of-band update released on 24 October 2025 on Windows Server machines. In case patching is not possible, the following workarounds are also available to be protected [1]:
- Disable the WSUS Server Role on your server. This will result in clients no longer being able to receive updates from the server.
- Block inbound traffic to ports 8530 and 8531 on the host firewall to render WSUS non-operational
What Should You Do?
We recommend applying the out-of-band patch released on 24 October 2025 immediately for Windows Server hosts. In case patching is not possible and the WSUS Server Role is enabled on the host, we recommend performing the workarounds provided in this Threat Response.
What Will Northwave Do?
We will continue to monitor developments related to this attack. If new critical information arises, we will contact you. If you would like additional information, please feel free to call us or send an email.
E-mail: soc@northwave-cybersecurity.com
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000
Disclaimer applies, see below.
Sources
[1]: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
Op 24 oktober 2025 heeft Microsoft een extra out-of-band patch uitgebracht om de kritieke kwetsbaarheid in de Windows Server Update Service (WSUS) voor Windows Server-machines te verhelpen [1]. De kwetsbaarheid in WSUS wordt gevolgd onder CVE-2025-59287. De initiele patch voor deze kwetsbaarheid, uitgebracht als onderdeel van “Patch Tuesday” op 14 oktober 2025, is NIET voldoende om deze kwetsbaarheid te verhelpen. De kwetsbaarheid maakt het mogelijk voor aanvallers op afstand om willekeurige code uit te voeren op Windows Server-machines waarop de WSUS-serverrol ingeschakeld is. Windows Server-machines waarop deze rol ingeschakeld is moeten onmiddelijk gepatcht worden om de kwetsbaarheid te verhelpen. Het NCSC volgt deze kwetsbaarheid onder NCSC-2025-0310 [2].
Beschrijving
De kwetsbaarheid, gevolgd onder CVE-2025-59287, stelt een ongeautoriseerde aanvaller op afstand in staat om willekeurige code uit te voeren op een Windows Server-machine waarop de Windows Server Update Server (WSUS)-rol ingeschakeld is. Deze rol is standaard niet ingeschakeld. Door misbruik van de kwetsbaarheid kan een aanvaller op afstand SYSTEM-rechten verkrijgen op de machine, waardoor de aanvaller willekeurige code kan uitvoeren als de SYSTEM-gebruiker [2]. Microsoft heeft aanvankelijk een patch voor deze kwetsbaarheid uitgebracht als onderdeel van “Patch Tuesday” op 14 oktober 2025, maar deze patch is niet voldoende om de kwetsbaarheid te verhelpen. Daarnaast is misbruik van deze kwetsbaarheid in het openbaar waargenomen [2].
Impact
Wij schatten de impact van deze aanval als hoog in, aangezien misbruik van de kwetsbaarheid een aanvaller voorziet van de mogelijk om op afstand willekeurige code uit te voeren als de SYSTEM-gebruiker.
Risico
Het risico wordt eveneens als hoog ingeschat, aangezien misbruik van de kwetsbaarheid in het openbaar is waargenomen. Daarnaast is de complexiteit van de aanval laag en is proof-of-concept code beschikbaar om de kwetsbaarheid te misbruiken, wat het risico op misbruik vergroot [2].
Mitigatie
Wij raden aan om zo snel mogelijk de out-of-band patch die op 24 oktober 2025 is uitgebracht voor Windows Server-machines toe te passen. Mocht patchen niet mogelijk zijn, dan zijn de volgende tijdelijke oplossingen beschikbaar [1]:
- Schakel de WSUS-serverrol op Windows Server-machines uit. Dit leidt ertoe dat clients geen updates meer van de server kunnen ontvangen. Blokkeer inkomend verkeer naar poorten 8530 en 8531 op de firewall van het systeem om WSUS buiten werking te stellen. Wat moet u doen?
- We raden aan de out-of-band patch die op 24 oktober 2025 is uitgebracht direct toe te passen op Windows Server-machines. Als patchen niet mogelijk is en de WSUS-serverrol op de host is ingeschakeld, raden we aan de tijdelijke oplossingen in deze Threat Response uit te voeren.
Wat doet Northwave?
Wij blijven de ontwikkelingen rondom deze aanval nauwlettend volgen. Als er nieuwe kritieke informatie beschikbaar komt, nemen wij contact met u op. U kunt ons bellen of mailen als u aanvullende informatie wenst.
E-mail: soc@northwave-cybersecurity.com Heeft u nu een incident?
Bel ons Incident Response Team: 00800 1744 0000 Disclaimer van toepassing, zie hieronder.
Bronnen
[1]: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287