The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), in collaboration with Australian and Canadian partners, have released urgent guidance to protect on-premises Microsoft Exchange Server and Windows Server Update Services (WSUS) from active exploitation. A recently patched vulnerability, CVE-2025-59287, in WSUS allows remote code execution by attackers who exploit unpatched systems to execute Base64-encoded PowerShell commands with SYSTEM-level privileges. These commands enable attackers to harvest sensitive data and exfiltrate it to external endpoints. The exploitation chain includes abuse of the WSUS service (wsusservice.exe), IIS worker process (w3wp.exe), and nested PowerShell processes. Additionally, an alternate attack vector involves the Microsoft Management Console (mmc.exe) triggering cmd.exe execution, causing system instability and potential further compromise. The threat actors have targeted diverse industries including universities, healthcare, manufacturing, and technology sectors. The guidance emphasizes restricting administrative access to Exchange Admin Center and remote PowerShell, enforcing multi-factor authentication, applying strict transport security protocols (TLS, HSTS, Extended Protection), and disabling legacy authentication protocols like NTLM in favor of Kerberos and SMB. Organizations are advised to maintain patching cadence, enable Exchange Emergency Mitigation Service, and apply security baselines for Exchange, Windows, and mail clients. The agencies also recommend migrating end-of-life Exchange servers to Microsoft 365 to reduce exposure. Continuous monitoring for suspicious activity, especially processes spawned by WSUS and Exchange services, is critical. This threat represents a significant risk due to the widespread deployment of Exchange and WSUS in enterprise environments and the potential for data exfiltration and further intrusion.

European organizations operating on-premises Microsoft Exchange Servers and WSUS are at considerable risk from this threat. Exploitation can lead to unauthorized remote code execution with SYSTEM-level privileges, enabling attackers to harvest sensitive data, disrupt email communications, and potentially move laterally within networks. Sectors such as healthcare, manufacturing, education, and technology, which rely heavily on Exchange for critical communications and WSUS for patch management, may face operational disruptions and data breaches. The compromise of Exchange servers threatens confidentiality and integrity of enterprise communications, while WSUS exploitation can undermine patch management processes, increasing vulnerability to further attacks. Given the active exploitation and the potential for attackers to leverage gathered data for deeper intrusions, European organizations could experience significant financial, reputational, and regulatory consequences, especially under GDPR. The threat also complicates incident response due to the use of encoded PowerShell commands and nested processes, making detection and mitigation more challenging.

1. Immediately identify and patch all WSUS servers with the out-of-band security update addressing CVE-2025-59287. 2. Apply all relevant security updates and patches to Microsoft Exchange Servers, especially focusing on end-of-life or unsupported versions; prioritize migration to Microsoft 365 where feasible. 3. Restrict administrative access to Exchange Admin Center and remote PowerShell interfaces, enforcing the principle of least privilege. 4. Implement multi-factor authentication (MFA) for all administrative access to Exchange and WSUS servers. 5. Harden authentication and encryption by configuring TLS, HTTP Strict Transport Security (HSTS), Extended Protection, and replacing NTLM with Kerberos and SMB protocols. 6. Enable and maintain Exchange Emergency Mitigation Service and apply Exchange, Windows, and mail client security baselines. 7. Deploy and configure advanced endpoint protection tools such as antivirus, Windows Antimalware Scan Interface (AMSI), Attack Surface Reduction (ASR), AppLocker, Endpoint Detection and Response (EDR), and Exchange anti-spam/anti-malware features. 8. Disable remote PowerShell access for non-administrative users and monitor for suspicious PowerShell activity, especially Base64-encoded commands and nested processes. 9. Continuously monitor logs for anomalous events, including SYSTEM-level child processes spawned by wsusservice.exe and w3wp.exe, and investigate any signs of data exfiltration. 10. Adopt zero trust security principles, including network segmentation and continuous verification of device and user trustworthiness. 11. Conduct regular security audits and penetration testing focused on Exchange and WSUS configurations to identify and remediate weaknesses proactively.