The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA), in collaboration with international partners, have released urgent guidance to bolster the security of on-premises Microsoft Exchange Server instances and Windows Server Update Services (WSUS). This advisory addresses ongoing exploitation of vulnerabilities, particularly in unprotected and misconfigured systems, urging organizations to implement robust security measures immediately.

Key Takeaways

• Agencies issue joint guidance for securing Microsoft Exchange and WSUS.

• Exploitation of WSUS vulnerability CVE-2025-59287 is actively occurring.

• Organizations urged to patch, restrict access, and adopt Zero Trust principles.

• Migration of end-of-life Exchange servers to Microsoft 365 is recommended.

Securing Microsoft Exchange Servers

CISA and NSA are emphasizing the critical need to harden on-premises Microsoft Exchange Server instances against potential exploitation. Malicious actors continue to target these systems, with unprotected and misconfigured servers being the primary victims. The agencies recommend a multi-faceted approach to significantly enhance defenses.

Key recommendations include:

• Restricting administrative access to the Exchange Admin Center (EAC) and implementing multi-factor authentication.

• Migrating end-of-life or hybrid Exchange servers to Microsoft 365.

• Ensuring the Exchange Emergency Mitigation Service remains enabled.

• Maintaining regular security updates and patching cadence for Exchange Server, Windows, and mail clients.

• Enabling comprehensive endpoint protection solutions like antivirus, AMSI, ASR, AppLocker, and Endpoint Detection and Response.

• Hardening authentication and encryption by configuring TLS, HSTS, Extended Protection, Kerberos, and disabling NTLM.

• Disabling remote PowerShell access for users in the Exchange Management Shell (EMS).

Organizations are advised that securing these servers is paramount for maintaining the integrity and confidentiality of enterprise communications.

Addressing WSUS Vulnerability CVE-2025-59287

In a related alert, CISA updated its guidance concerning CVE-2025-59287, a security flaw in Windows Server Update Services (WSUS) that allows for remote code execution. Threat actors have been actively exploiting this vulnerability since October 24, 2025, shortly after Microsoft released an out-of-band security update.

Organizations are strongly advised to:

• Identify susceptible servers and apply the necessary security update.

• Monitor for suspicious activity, particularly child processes spawned with SYSTEM-level permissions from wsusservice.exe or w3wp.exe.

• Vet nested PowerShell processes using base64-encoded commands.

Reports indicate that attackers are leveraging vulnerable WSUS servers to execute malicious PowerShell commands and exfiltrate sensitive data. The vulnerability's impact is considered significant, with threat actors moving quickly to exploit it for data harvesting. Further analysis suggests potential for deeper exploitation pathways, including the use of the Microsoft Management Console.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• CISA and NSA Issue Urgent Guidance to Secure WSUS and Microsoft Exchange Servers, The Hacker News.

• CISA, NSA unveil best-practices guide to address ongoing Exchange Server risks, Cybersecurity Dive.

• CISA, NSA Urge Immediate Security Measures for WSUS and Exchange Servers, El-Balad.com.