CISA, NSA Urge Immediate Security Measures for WSUS and Exchange Servers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have issued crucial advice for organizations utilizing on-premises Microsoft Exchange Server. Collaborating with partners from Australia and Canada, these agencies aim to combat increasing cyber threats targeting Exchange. Security lapses in these systems could lead to significant vulnerabilities.

Key Recommendations for Secure Exchange Server Deployment

CISA emphasizes several measures that organizations should implement to enhance their security framework:

• Restrict administrative access to the Exchange Admin Center and employ multi-factor authentication.
• Migrate end-of-life or hybrid Exchange servers to Microsoft 365.
• Enable and maintain the Exchange Emergency Mitigation Service.
• Regularly update and patch security vulnerabilities.
• Apply security baselines for Exchange Server and related systems.
• Utilize advanced threat protection features, including antivirus software and Endpoint Detection and Response.
• Harden authentication protocols like TLS and Kerberos.
• Disable remote PowerShell access in the Exchange Management Shell.

CISA warned that unprotected and misconfigured instances are particularly susceptible to attacks. “Securing Exchange servers is essential for maintaining the integrity and confidentiality of enterprise communications,” the agencies stated.

Urgent WSUS Security Alerts

In a separate but related alert, CISA updated its guidance on a recently discovered vulnerability, CVE-2025-59287, within Windows Server Update Services (WSUS). This flaw could enable remote code execution, putting many organizations at risk.

• Organizations should identify vulnerable servers and apply Microsoft’s out-of-band security update.
• Active monitoring for suspicious activity, particularly with processes associated with wsusservice.exe, is highly recommended.

Reports indicate that attackers have begun exploiting this vulnerability, targeting various sectors such as education, technology, and healthcare. Exploitation activities reportedly commenced on October 24, 2025, shortly after the patch was issued.

Threat Landscape and Impact

Cybersecurity firm Sophos reported numerous incidents tied to this exploitation. Threat actors have been leveraging compromised WSUS servers to execute harmful PowerShell commands, ultimately aiming to extract sensitive data. Surveillance of activity related to these incidents is critical, as attackers may still be assessing the data they have gathered.

Michael Haag from Splunk described the vulnerability as deeper than initially anticipated. He pointed out an alternate attack pathway involving the Microsoft Management Console that could lead to additional exploitation scenarios.

Conclusion

The need for robust cybersecurity practices around Microsoft Exchange and WSUS has never been more pressing. Organizations must act swiftly to implement these recommended measures to safeguard their critical systems and data against evolving cyber threats.