Cisa And Nsa Issue Urgent Guidance To Secure Wsus And Microsof...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with international partners from Australia and Canada, have released guidance to harden on-premise Microsoft Exchange Server instances from potential exploitation.
"By restricting administrative access, implementing multi-factor authentication, enforcing strict transport security configurations, and adopting zero trust (ZT) security model principles, organizations can significantly bolster their defenses against potential cyber attacks," CISA said.
The agencies said malicious activity aimed at Microsoft Exchange Server continues to take place, with unprotected and misconfigured instances facing the brunt of the attacks. Organizations are advised to decommission end-of-life on-premises or hybrid Exchange servers after transitioning to Microsoft 365.
Some of the best practices outlined are listed below -
"Securing Exchange servers is essential for maintaining the integrity and confidentiality of enterprise communications and functions," the agencies noted. "Continuously evaluating and hardening the cybersecurity posture of these communication servers is critical to staying ahead of evolving cyber threats and ensuring robust protection of Exchange as part of the operational core of many organizations."
The guidance comes a day after CISA updated its alert to include additional information related to CVE-2025-59287, a newly re-patched security flaw in the Windows Server Update Services (WSUS) component that could result in remote code execution.
The agency is recommending that organizations identify servers that are susceptible to exploitation, apply the out-of-band security update released by Microsoft, and investigate signs of threat activity on their networks -
The development follows a report from Sophos that threat actors are exploiting the vulnerability to harvest sensitive data from U.S. organizations spanning a range of industries, including universities, technology, manufacturing, and healthcare. The exploitation activity was first detected on October 24, 2025, a day after Microsoft issued the update.
In these attacks, the attackers have been found to leverage vulnerable Windows WSUS servers to run a Base64-encoded PowerShell commands, and exfiltrate the results to a webhook[.]site endpoint, corroborating other reports from Darktrace, Huntress, and Palo Alto Networks Unit 42.
The cybersecurity company told The Hacker News that it has ide
Source: The Hacker News
