**Number:** AL25-015 **Date:** October 24, 2025Audience——–This Alert is intended for professionals and managers.Purpose——-An Alert is used to raise awareness of a recently identified cyber threat [](#defn-cyber-threat)Cyber threatA threat actor, using the internet, who takes advantage of a known vulnerability in a product for the purposes of exploiting a network and the information the network carries. that may impact cyber information assets, and to provide additional detection [](#defn-detection)DetectionThe monitoring and analyzing of system events in order to identify unauthorized attempts to access system resources. and mitigation advice to recipients. The Canadian Centre for Cyber Security [](#defn-cyber-security)Cyber securityThe protection of digital information, as well as the integrity of the infrastructure housing and transmitting digital information. More specifically, cyber security includes the body of technologies, processes, practices and response and mitigation measures designed to protect networks, computers, programs and data from attack, damage or unauthorized access so as to ensure confidentiality, integrity and availability. (‘Cyber Centre’) is also available to provide additional assistance regarding the content of this Alert to recipients as requested.Details——-On October 24, 2025, Microsoft published an out-of-band security update to a critical vulnerability [](#defn-vulnerability)VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization’s assets or operations. in the Windows Server Update Service (WSUS)^[Footnote 1](#fn1)^.CVE-2025-59287 involves the deserialization of untrusted data in WSUS, allowing an unauthorized attacker to execute code over a network.The WSUS Server Role is not enabled by default on Windows servers, and Windows servers that do not have this role enabled are not vulnerable. In response to Microsoft’s disclosure, the Cyber Centre released an update to AV25-666 on October 24, 2025^[Footnote 2](#fn2)^.The Cyber Centre is aware of active exploitation ^[Footnote 3](#fn3)^Suggested actions—————–The Cyber Centre strongly recommends that organizations follow Microsoft customer guidance for mitigation advice:* Apply the recommended update. If this is not possible, apply the following mitigations:* If the WSUS Server Role is enabled on your server, disable it. Note that clients will no longer receive updates from the server if WSUS is disabled.* Block inbound traffic to Ports 8530 and 8531 on the host firewall (as opposed to blocking only at the network/perimeter firewall) in order to render WSUS non-operational.Microsoft adds that this update is cumulative, so organizations do not need to apply any previous updates before installing this one, as it supersedes all previous updates for affected versions. They suggest that if the October 2025 Windows security update has not been applied, that this out-of-band update should be applied. After installation, a reboot will be required.In addition, the Cyber Centre also strongly recommends that organizations review and implement the Cyber Centre’s Top 10 IT Security Actions with an emphasis on the following topics^[Footnote 4](#fn4)^.* Patching operating systems and applications* Isolating Web-Facing applicationsShould activity matching the content of this alert be discovered, recipients are encouraged to report via the [My Cyber Portal](https://www.cyber.gc.ca/en/incident-management), or email [contact@cyber.gc.ca](mailto:contact@cyber.gc.ca).References———-|| Footnote 1|| : [Windows Server Update Service (WSUS) Remote Code Execution Vulnerability](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287)|| [Return to footnote1 referrer](#fn1-rf)||| Footnote 2|| : [Microsoft security advisory (AV25-666)](/en/alerts-advisories/microsoft-security-advisory-october-2025-monthly-rollup-av25-666)|| [Return to footnote2 referrer](#fn2-rf)||| Footnote 3|| : [Exploitation of Windows Server Update Services Remote Code Execution Vulnerability (CVE-2025-59287)](https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability)|| [Return to footnote3 referrer](#fn3-rf)||| Footnote 4|| : [Top 10 IT security actions to protect Internet connected networks and information (ITSM.10.089)](/en/guidance/top-10-it-security-actions-protect-internet-connected-networks-and-information-itsm10089)|| [Return to footnote4 referrer](#fn4-rf)*[IT]: information technology
Related Tags:
NAICS: 921 – Executive
Legislative
Other General Government Support
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 541 – Professional
Scientific
Technical Services
NAICS: 518 – Computing Infrastructure Providers
Data Processing
Web Hosting
Related Services
NAICS: 92 – Public Administration
NAICS: 51 – Information
Blog: Government of Canada Alerts and Advisories
Exploitation for Client Execution
Associated Indicators: