Close Menu
TechurzTechurz
    What's Hot

    IQM, Europe’s first public quantum company, admits the future of the tech is uncertain

    July 2, 2026

    Indian tech tycoon bets $30M of his own money to build AI alternative to Microsoft Office

    July 2, 2026

    Bending Spoons defies SaaS slump, surges 40% on first day of trading

    July 1, 2026
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Tech Pulse
    • IQM, Europe’s first public quantum company, admits the future of the tech is uncertain
    • Indian tech tycoon bets $30M of his own money to build AI alternative to Microsoft Office
    • Bending Spoons defies SaaS slump, surges 40% on first day of trading
    • Humble Robotics’ CEO says the tech finally caught up to the vision for autonomous vehicles
    • Autonomous vehicle hype is back, and Humble Robotics is bringing it to freights
    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    TechurzTechurz
    • Home
    • Tech Pulse
    • Future Tech
    • AI Systems
    • Cyber Reality
    • Disruption Lab
    • Signals
    TechurzTechurz
    Home - Cyber Reality - CISA and NSA Issue Urgent Guidance to Secure WSUS and Microsoft Exchange Servers
    Cyber Reality

    CISA and NSA Issue Urgent Guidance to Secure WSUS and Microsoft Exchange Servers

    TechurzBy TechurzOctober 31, 2025Updated:May 10, 2026No Comments4 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    CISA and NSA Issue Urgent Guidance to Secure WSUS and Microsoft Exchange Servers
    Share
    Facebook Twitter LinkedIn Pinterest Email


    Oct 31, 2025Ravie LakshmananVulnerability / Threat Intelligence

    The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with international partners from Australia and Canada, have released guidance to harden on-premise Microsoft Exchange Server instances from potential exploitation.

    “By restricting administrative access, implementing multi-factor authentication, enforcing strict transport security configurations, and adopting zero trust (ZT) security model principles, organizations can significantly bolster their defenses against potential cyber attacks,” CISA said.

    The agencies said malicious activity aimed at Microsoft Exchange Server continues to take place, with unprotected and misconfigured instances facing the brunt of the attacks. Organizations are advised to decommission end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365.

    Some of the best practices outlined are listed below –

    • Maintain security updates and patching cadence
    • Migrate end-of-life Exchange servers
    • Ensure Exchange Emergency Mitigation Service remains enabled
    • Apply and maintain the Exchange Server baseline, Windows security baselines, and applicable mail client security baselines
    • Enable antivirus solution, Windows Antimalware Scan Interface (AMSI), Attack Surface Reduction (ASR), and AppLocker and App Control for Business, Endpoint Detection and Response, and Exchange Server’s anti-spam and anti-malware features
    • Restrict administrative access to the Exchange Admin Center (EAC) and remote PowerShell and apply the principle of least privilege
    • Harden authentication and encryption by configuring Transport Layer Security (TLS), HTTP Strict Transport Security (HSTS), Extended Protection (EP), Kerberos and Server Message Block (SMB) instead of NTLM, and multi-factor authentication
    • Disable remote PowerShell access by users in the Exchange Management Shell (EMS)

    “Securing Exchange servers is essential for maintaining the integrity and confidentiality of enterprise communications and functions,” the agencies noted. “Continuously evaluating and hardening the cybersecurity posture of these communication servers is critical to staying ahead of evolving cyber threats and ensuring robust protection of Exchange as part of the operational core of many organizations.”

    CISA Updates CVE-2025-59287 Alert

    The guidance comes a day after CISA updated its alert to include additional information related to CVE-2025-59287, a newly re-patched security flaw in the Windows Server Update Services (WSUS) component that could result in remote code execution.

    The agency is recommending that organizations identify servers that are susceptible to exploitation, apply the out-of-band security update released by Microsoft, and investigate signs of threat activity on their networks –

    • Monitor and vet suspicious activity and child processes spawned with SYSTEM-level permissions, particularly those originating from wsusservice.exe and/or w3wp.exe
    • Monitor and vet nested PowerShell processes using base64-encoded PowerShell commands

    The development follows a report from Sophos that threat actors are exploiting the vulnerability to harvest sensitive data from U.S. organizations spanning a range of industries, including universities, technology, manufacturing, and healthcare. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update.

    In these attacks, the attackers have been found to leverage vulnerable Windows WSUS servers to run a Base64-encoded PowerShell commands, and exfiltrate the results to a webhook[.]site endpoint, corroborating other reports from Darktrace, Huntress, and Palo Alto Networks Unit 42.

    The cybersecurity company told The Hacker News that it has identified six incidents in its customer environments to date, although further research has flagged at least 50 victims.

    “This activity shows that threat actors moved quickly to exploit this critical vulnerability in WSUS to collect valuable data from vulnerable organizations,” Rafe Pilling, director of threat intelligence at Sophos Counter Threat Unit, told The Hacker News in a statement.

    “It’s possible this was an initial test or reconnaissance phase, and that attackers are now analyzing the data they’ve gathered to identify new opportunities for intrusion. We’re not seeing further mass exploitation at this time, but it’s still early, and defenders should treat this as an early warning. Organizations should ensure their systems are fully patched and that WSUS servers are configured securely to reduce the risk of exploitation.”

    Michael Haag, principal threat research engineer at Cisco-owned Splunk, noted in a post on X that CVE-2025-59287 “goes deeper than expected” and that they found an alternate attack chain that involves the use of the Microsoft Management Console binary (“mmc.exe”) to trigger the execution of “cmd.exe” when an admin opens WSUS Admin Console or hits “Reset Server Node.”

    “This path triggers a 7053 Event Log crash,” Haag pointed out, adding it matches the stack trace spotted by Huntress at “C:\Program Files\Update Services\Logfiles\SoftwareDistribution.log.”

    CISA Exchange guidance Issue Microsoft NSA secure servers Urgent WSUS
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleAembit Introduces Identity and Access Management for Agentic AI
    Next Article Not enough people are talking about this budget Android phone that’s feature rich
    Techurz
    • Website

    Related Posts

    Opinion

    Indian tech tycoon bets $30M of his own money to build AI alternative to Microsoft Office

    July 2, 2026
    Opinion

    Microsoft taps Alt Carbon in sign of India’s growing role in carbon removal

    June 11, 2026
    Opinion

    Helion, the Sam Altman-backed fusion startup, raises $465M to build a power plant for Microsoft

    June 4, 2026
    Add A Comment
    Latest Tech Pulse

    College social app Fizz expands into grocery delivery

    September 3, 20252,290

    12 Father’s Day E-Card Sites That Are Actually Good

    June 4, 202523

    SolarSquare in talks to raise up to $60M as India’s rooftop solar market draws major VC interest

    May 23, 202622
    Stay In Touch
    • YouTube
    • WhatsApp
    • Twitter
    • Pinterest
    • LinkedIn

    Techurz helps readers stay ahead of digital change with clear, practical, future focused technology intelligence written today,searched tomorrow.

    X (Twitter) Pinterest YouTube LinkedIn WhatsApp
    Company
    • About Us
    • Contact Us
    • Our Authors / Editorial Team
    • Write For Us
    • Advertise
    Policy
    • Editorial Policy
    • Privacy Policy
    • Terms and Conditions
    • Affiliate Disclosure
    • Cookie Policy
    • Disclaimer
    • DMCA
    Explore
    • AI Systems
    • Cyber Reality
    • Future Tech
    • Disruption Lab
    • Signals
    • Tech Pulse
    • Sitemap

    Join the Techurz Brief

    The future does not arrive suddenly.
    Stay ahead with fast, sharp tech signals.

    Type above and press Enter to search. Press Esc to cancel.