Microsoft has released a security update to address a critical remote code execution vulnerability impacting multiple versions of Windows Server Update Services that was not fully eradicated by a previous update, according to the Cybersecurity and Infrastructure Security Agency.
CISA strongly urges organizations to implement Microsoft’s updated Windows Server Update Service (WSUS) Remote Code Execution Vulnerability guidance, or risk an unauthenticated actor achieving remote code execution with SYSTEM-level privileges. Immediate actions for organizations with affected products are:
- Identify servers vulnerable to exploitation (i.e., affected servers with WSUS Server Role enabled and ports open to TCP 8530/TCP 8531) for priority mitigation:
- Run the following command in PowerShell to check if WSUS is in an installed state:
Get-WindowsFeature -Name UpdateServices; and/or - Leverage the Server Manager Dashboard, and check if WSUS enablement is turned on as a Server Role.
- Run the following command in PowerShell to check if WSUS is in an installed state:
- Apply the out-of-band security update released on October 23, 2025, to all servers identified in Step 1. Reboot WSUS server(s) after installation to complete mitigation. If organizations are unable to apply the update immediately, system administrators should disable the WSUS Server Role and/or block inbound traffic to ports TCP 8530/TCP 8531, the default listeners for WSUS, at the host firewall. Of note, do not undo either of these workarounds until your organization has installed the update.
- Apply updates to remaining Windows servers. Reboot servers after installation to complete mitigation.
“Remote code execution vulnerabilities give an attacker the ability to take control of a victim’s system completely,” said Scott Gee, AHA deputy national advisor for cybersecurity and risk. “This is a serious issue that needs immediate attention for hospitals using the WSUS system.”
For more information on this or other cyber and risk issues, contact Gee at sgee@aha.org. For the latest cyber and risk resources and threat intelligence, visit aha.org/cybersecurity.
