Overview
- CISA added the bug to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by November 14 under BOD 22-01, with Microsoft advising a server reboot after installing the update.
- Threat activity was confirmed by multiple firms, with Huntress, Eye Security and others observing exploitation of WSUS instances on default ports 8530/8531 and Google’s threat team tracking UNC6512 across multiple victims with observed data exfiltration.
- Microsoft re-released an emergency update after determining the initial Patch Tuesday fix was incomplete, stating customers who installed the latest updates are protected.
- Researchers report significant exposure, including Shadowserver tracking about 2,800 internet-facing WSUS servers on default ports and watchTowr citing more than 8,000 exposed instances.
- Short-term mitigations include disabling the WSUS Server role or blocking inbound traffic to TCP 8530 and 8531, with vendors warning that a compromised WSUS could be abused to distribute malicious updates downstream.