CISA & NSA Urgent Guidance to Secure WSUS and Microsoft Exchange
CISA and NSA, with partners, issued hardening guidance for on-prem Exchange: restrict admin access, enforce MFA, apply baselines, enable security features (AMSI/ASR/EDR), and harden TLS/HSTS, EPA, Kerberos/SMB over NTLM. They also updated an alert for CVE-2025-59287 (WSUS) exploited days after Microsoft’s patch—threat actors used vulnerable WSUS to run Base64 PowerShell and exfiltrate data. Agencies urge identifying affected servers, applying the out-of-band fix, and monitoring suspicious WSUS processes and nested PowerShell.
CISA and the NSA (with Australia and Canada) have dropped a very direct message: tighten your on-prem Exchange and fix WSUS now. Why? Because misconfigured servers keep getting hammered, and a newly re-patched WSUS flaw—CVE-2025-59287—is already seeing real-world exploitation.
Exchange hardening, the short list:
• Limit who can reach EAC and remote PowerShell; least privilege everywhere.
• Keep patches flowing and adopt Exchange/Windows baselines.
• Turn on AMSI, ASR, EDR, AppLocker/App Control, and built-in anti-spam/malware.
• Strengthen auth and crypto: TLS + HSTS, Extended Protection, Kerberos/SMB; MFA across the board.
Migrate end-of-life servers to Microsoft 365 and decommission promptly.
WSUS: why the fuss?
Attackers quickly abused CVE-2025-59287 to run SYSTEM-level PowerShell on vulnerable hosts and siphon results to webhooks—activity seen by multiple security vendors. The advice: apply Microsoft’s out-of-band fix, inventory exposed WSUS instances, and watch like a hawk for wsusservice.exe / w3wp.exe spawning suspicious, Base64-laden PowerShell.
Bottom line: Exchange and WSUS are core plumbing—treat them like crown jewels. Patch, harden, monitor, and if you’ve still got hybrid or on-prem stragglers, put them on a fast-track remediation plan.