Threat Report 10/29/25

A Vulnerability in Microsoft Windows Server Update Services (WSUS) Could Allow for Remote Code Execution 

A vulnerability has been discovered in Microsoft Windows Server Update Services (WSUS) which could allow for remote code execution. WSUS is a tool that helps organizations manage and distribute Microsoft updates across multiple computers. Instead of every PC downloading updates from Microsoft’s servers, WSUS downloads the updates and stores them, then distributes them to all computers on the network that connect to it. Successful exploitation of the vulnerability could allow an attacker to gain full control of the WSUS server and distribute malicious updates to client devices. 

Affected Systems: 

• Windows Server 2012 R2 versions prior to build 6.3.9600.22826 

• Windows Server 2012 versions prior to build 6.2.9200.25728 

• Windows Server 2016 versions prior to build 10.0.14393.8524 

• Windows Server 2025 versions prior to build 10.0.26100.6905 

• Windows Server 2022, 23H2 Edition (Server Core installation) versions prior to build 10.0.25398.1916 

• Windows Server 2022 versions prior to build 10.0.20348.4297 

• Windows Server 2019 versions prior to build 10.0.17763.7922 

Risk: 

• Large and medium business entities: High 

• Small business entities: Medium 

Remediation Recommendations 

• Ensure all instances of Microsoft Server have the latest version(s) installed  
• Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it) 

References 

• https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287

Oracle Quarterly Critical Patches Issued October 21, 2025 

Multiple vulnerabilities have been discovered in Oracle products, the most severe of which could allow for remote code execution.   

 Affected Systems: 

• Firefox versions prior to 144 

• Firefox ESR versions prior to 115.29 

• Firefox ESR versions prior to 140.4 

• Thunderbird versions prior to 144 

• Thunderbird versions prior to 140.4 

• Thunderbird ESR versions prior to 140.4 

Risk: 

• Large and medium business entities: High 

• Small business entities:  High  

Remediation Recommendations 

• Ensure all versions of all Oracle products are updated to their latest versions 
• Enact the Principle of Least Privilege (limit higher-level privileges to only the users that need it) 

References 

• https://www.oracle.com/security-alerts/cpuoct2025.html 
  
• https://www.oracle.com/security-alerts/alert-cve-2025-61882.html 
  
• https://www.oracle.com/security-alerts/alert-cve-2025-61884.html 

CISA Layoffs Threaten US Cyber Coordination Efforts 

The Trump administration recently shuttered the Cybersecurity and Infrastructure Security Agency's (CISA) Stakeholder Engagement Division (SED). SED was a key unit tasked with coordinating cybersecurity improvements with state, local, private, and international partners. These lay-offs cut nearly all of SED's 95 staff members, leaving only the Sector Management unit. 

With this effort, the White House has three offices, including Council Management, Strategic Relations, and International Affairs. 

Experts warn that these cuts could erode trust, reduce situational awareness, and weaken collaboration efforts. Former White House cybersecurity advisor Michael Daniel noted that downsizing risks leaving CISA "blind to certain threats and trends." 

CISA Warns of Actively Exploited SMB Flaw 

The US Cybersecurity and Infrastructure Security Agency (CISA) warns that a high-severity Windows SMB flaw (CVE-2025-33073) is being actively exploited in attacks, BeyondMachines reports. The vulnerability, which received a CVSS score of 8.8, was patched in Microsoft's July 2025 Patch Tuesday updates. The flaw is an improper access control vulnerability that can allow attackers to gain SYSTEM privileges on a compromised machine. 

CISA has ordered Federal civilian agencies to patch the flaw by November 10th, and private sector organizations should follow suit. 

New Data Leak Exposes 183 Million Email Addresses and Passwords 

Security researcher Troy Hunt found a new data leak, which he attributes to threat intelligence firm Synthient. The data was roughly 3.5 terabytes and 23 billion rows and included both stolen Gmail logins and website credentials. 

Hunt stated that 8% of the listed entries were new, adding 16 million previously unseen addresses with evidence that some of these records were tied to affected users. Experts are urging password changes and avoiding reusing passwords across multiple accounts.