In partnership with
A critical WSUS remote code execution bug is being exploited in the wild, putting the very systems that patch Windows fleets at risk. At the same time, new enterprise and OT advisories show attackers targeting the management plane—from update servers to HMIs—where one foothold can cascade across environments.
🚨 Top Stories
1. Microsoft rushes out an out-of-band fix for critical WSUS RCE under active exploitation (CVE-2025-59287)
Microsoft shipped an emergency, out-of-band security update on October 24 for a critical Windows Server Update Services (WSUS) flaw now tracked as CVE-2025-59287. The bug is an unsafe deserialization issue in WSUS’s reporting web services that lets an unauthenticated remote attacker send crafted requests and execute arbitrary code as SYSTEM on vulnerable WSUS servers. A proof-of-concept exploit is public, and national CERTs (including the Dutch NCSC) reported in-the-wild abuse as of October 24. Affected systems include Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025 if the WSUS role is enabled. Microsoft says orgs that cannot immediately apply the patch can temporarily disable WSUS or block inbound traffic to WSUS ports, but doing so pauses normal patch distribution to endpoints.The Hacker News
💡 Key Takeaway: WSUS is often treated as “internal plumbing,” not Tier 0. Treat it like domain admin. Patch immediately, hunt for suspicious child processes spawned by WSUS/IIS, and assume full AD compromise is on the table if WSUS is owned.
2. Cyberattack pushes two Massachusetts hospitals into ‘Code Black,’ diverts ambulances
Heywood Hospital (134 beds, Gardner, MA) and Athol Hospital (25 beds, Athol, MA) lost networked clinical systems starting October 13. By October 15, the regional EMS agency declared a “Code Black,” meaning emergency patients had to be diverted to other facilities because the hospitals could not safely accept new ambulance arrivals. CT scanning, radiology, lab, email, phone, and other systems were disrupted. On October 16, Heywood Healthcare confirmed it was a “cybersecurity incident,” took affected systems offline, and brought in third-party IR. By October 17, Code Black was lifted, but the hospitals were still operating with “limited capabilities.” The organization has not yet said whether patient data was exposed. The HIPAA Journal💡 Key Takeaway: Ransomware-style outages are directly impacting patient routing and diagnostic imaging in under 48 hours. This is no longer “data theft only” for healthcare — it’s care delivery disruption with real clinical risk.
3. Pwn2Own Ireland 2025: 34 zero-days popped in printers, NAS, smart home gear, and even speakers
Researchers at Trend Micro’s Zero Day Initiative Pwn2Own event in Cork earned roughly $522,500 in a single day by demonstrating working exploits against 34 previously unknown vulnerabilities across consumer IoT and office gear — printers, NAS devices, smart lighting bridges, smart speakers, even Home Assistant appliances. Teams repeatedly achieved code execution and, in at least one case, full root on a Sonos smart speaker. Meanwhile, a hyped $1M “zero-click WhatsApp exploit” bid fizzled; Meta ultimately received only low-risk bugs after the contestant withdrew. SecurityWeek
💡 Key Takeaway: The stuff sitting on office Wi‑Fi and in conference rooms is getting owned reliably, at scale, and for cash. Assume printers, smart displays, and “shadow IoT” are viable footholds — segment them or they will become an internal pivot point.
🛠️Vulnerability Spotlight
• Chrome / Firefox zero-days tied to commercial spyware tooling (CVE-2025-2783 & CVE-2025-2857)
Kaspersky-linked reporting says a Chrome sandbox escape (CVE-2025-2783) was exploited in a live cyberespionage campaign (“Operation ForumTroll”) delivering a loader that ultimately installs LeetAgent spyware. The attackers used highly targeted phishing emails with short-lived, victim-specific links, then persisted via Windows registry hijacks and COM search-order abuse. Researchers connect the toolset to “Dante,” surveillance malware attributed to Memento Labs (the successor to Hacking Team). Mozilla addressed a related Firefox issue (CVE-2025-2857). SecurityWeek
💡 Key Takeaway: Patch Chrome/Chromium- and Firefox-based browsers now and monitor endpoints for unusual COM hijacks or new persistence keys — these are not theoretical bugs, they’re already part of state-linked tradecraft.
• Novakon HMI devices: multiple critical flaws, no vendor fix
Industrial HMI panels from Taiwan-based Novakon contain multiple severe, unauthenticated flaws — including buffer overflows, directory traversal, weak/absent auth, and over‑privileged processes — that can let a remote attacker gain root, run arbitrary code, and potentially manipulate plant-floor control logic. Public reporting as of October 23 says Novakon has not issued patches or even acknowledged the findings. These HMIs are deployed globally in data centers and industrial/OT environments. SecurityWeek
💡 Key Takeaway: Treat unpatched HMIs like exposed PLCs: isolate them from corporate/Internet-facing networks, enforce strict ACLs, and watch for unexpected commands to controllers. You cannot assume the vendor will bail you out quickly.
• Cognex industrial cameras: credential replay & takeover weaknesses with “no patch” guidance
Legacy Cognex In-Sight industrial vision systems — widely used to guide robots, inspect quality, and track items on production lines — suffer multiple high-severity flaws. Researchers showed an adjacent attacker can intercept and reuse “encrypted” credentials because the same key material is reused, and can potentially hijack camera control. CISA warned critical infrastructure operators in September, and updates on October 26 note that for some camera models, there is still no vendor patch. SecurityWeek
💡 Key Takeaway: Vision systems and smart sensors are OT assets. Put them on protected VLANs, rotate any shared creds, and log access just like you would for PLCs or safety controllers.
📈 Trend to Watch
Attackers are going after “the admins of the admins” — update servers, endpoint managers, firewalls, and hospital infrastructure
In the past week, we saw:
A remote unauthenticated RCE in WSUS that gives SYSTEM on the very service you use to patch Windows fleets, and it’s already being exploited. The Hacker News
CISA forcing agencies to urgently patch or rip out vulnerable endpoint management and edge gear (Cisco ASA/Firepower last month under Emergency Directive 25-03, and LANSCOPE Endpoint Manager last week via KEV with a hard deadline). NISTify
A hospital network outage that immediately impacted CT scans, radiology, and ambulance routing. Boston.com
💡 Key Takeaway: Adversaries increasingly skip “workstation phish → EDR alert.” They’re jumping straight to the systems that manage everything (WSUS, endpoint managers, perimeter firewalls, OT HMIs). Those assets need Tier 0 treatment: dedicated network segments, MFA/just-in-time admin, continuous logging, and accelerated patch SLAs.
🏛️ Policy & Regulation Watch
CISA adds LANSCOPE Endpoint Manager zero-day (CVE-2025-61932) to KEV and sets a Nov 12 deadline
CISA added CVE-2025-61932 — a critical remote code execution flaw in Motex/Kyocera’s LANSCOPE Endpoint Manager (on-prem) — to the Known Exploited Vulnerabilities (KEV) catalog on October 22 after confirming active exploitation. The bug (CVSS ~9.3/9.8) stems from improper verification of request origin, allowing arbitrary code execution over the network against vulnerable versions (9.4.7.2 and earlier). Federal Civilian Executive Branch agencies must either patch or remove affected instances by November 12, or stop using the product entirely. Private-sector orgs are strongly urged to do the same, especially given indications that ransomware crews (including Qilin) have probed Japanese/Asian enterprises using this tooling. [CISA KEV: cisa.gov/known-exploited-vulnerabilities-catalog] TechRadar
💡 Key Takeaway: Endpoint management consoles are now regulated like perimeter devices. If your endpoint/asset inventory platform is internet-reachable, assume it’s already being sprayed and bring it behind a firewall immediately.
🧰 Tool / Resource of the Week
Huntress deep dive: detecting exploitation of WSUS RCE (CVE-2025-59287)
Huntress published hands-on guidance and telemetry for spotting active abuse of CVE-2025-59287 in WSUS: what the malicious requests look like, where to look for rogue .NET payloads, and which spawned processes are red flags. The post also summarizes Microsoft’s out-of-band fixes and offers short-term containment steps if you cannot patch instantly.
Resource: https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
💡 Key Takeaway: Use this to build targeted detections around WSUS-hosted IIS sites and to validate (not assume) that your WSUS servers are clean after patching.
⚡ Quick Hits
Oracle ships its October 2025 Critical Patch Update (CPU): 374 patches, 170 CVEs, 40 critical. Oracle’s latest quarterly CPU (released October 21–22) spans core enterprise apps (including Oracle E-Business Suite) and cloud services. Oracle is blunt: apply immediately. [Oracle CPU: oracle.com/security-alerts/cpuoct2025.html] Tenable
💡 Key Takeaway: This is a massive blast-radius reducer — schedule fast-track maintenance windows, not “next quarter.”CISA’s Emergency Directive on Cisco ASA/Firepower zero-days demands inventory, forensics, and in some cases device removal. An October 25 summary of Emergency Directive 25-03 reiterates that agencies must locate every Cisco ASA/FTD appliance, collect core dumps for signs of compromise, disconnect unsupported gear, and apply fixes for critical RCE and privilege escalation flaws (CVE-2025-20333, CVE-2025-20362). The campaign allegedly uses techniques that persist even across reboots and upgrades. NISTify
💡 Key Takeaway: Treat legacy firewall/VPN boxes as suspect until proven clean — persistence survives reboots.Toys “R” Us Canada customer data leaked online. SecurityWeek reports that attackers leaked customer information tied to Toys “R” Us Canada; the company hasn’t yet said how many people are affected or how the breach occurred. An investigation is ongoing. SecurityWeek
💡 Key Takeaway: Retail PII continues to surface on leak sites with few public details. If you’re in retail, assume disclosure pressure even before forensics is complete.Volkswagen confirms a “cybersecurity incident” after 8Base ransomware claims it stole internal documents. VW says core IT systems weren’t impacted and hinted the breach may involve a supplier or subsidiary. 8Base — a double-extortion group with ties to the Phobos ransomware ecosystem — claims to hold contracts, HR data, and financial docs. IT Pro
💡 Key Takeaway: High-end manufacturing/supply chain IP is firmly in scope for big-game ransomware crews.U.S. local governments keep getting knocked offline. Kaufman County, TX and La Vergne, TN both disclosed disruptive cyber incidents in the past few days, forcing office closures and manual workarounds while the FBI and state agencies assist. The Record from Recorded Future
💡 Key Takeaway: City and county networks are still soft targets, and outages now routinely pause core municipal services.
🛡️ Actionable Defense Move of the Week
Lock down your patch/orchestration infrastructure
Do a focused 48-hour review of every system that deploys updates, manages endpoints, or sits at the edge — WSUS servers, endpoint management consoles, firewalls/VPN gateways, OT HMIs, and similar “single pane of glass” tools.
Patch or pull offline: Apply the latest vendor fixes for any Internet- or partner-exposed management service. If you cannot patch immediately, take it out of public reach, block inbound access, or disable the role until you can. The Hacker News
Segment and monitor: Move these systems into a Tier 0 / admin-only VLAN or jump host model, require MFA, and enable full command/process logging.
Threat hunt now, not later: Look for new or unexpected web shells, unsigned binaries, persistence keys, or config changes on these management boxes — assume compromise, don’t wait for alerts.
💡 Key Takeaway: If an attacker owns your update server or OT HMI, they own everything downstream. Treat these boxes like crown jewels, not IT utilities.
🏁 Final Word
Attackers are skipping the front door and heading straight for the control room: WSUS, endpoint managers, hospital networks, smart cameras, even smart speakers. The fastest risk reduction you can deliver this week is brutally simple — patch the management plane, isolate it, and prove it’s clean.
Stay vigilant.
Realtime User Onboarding, Zero Engineering
Quarterzip delivers realtime, AI-led onboarding for every user with zero engineering effort.
✨ Dynamic Voice guides users in the moment
✨ Picture-in-Picture stay visible across your site and others
✨ Guardrails keep things accurate with smooth handoffs if needed
No code. No engineering. Just onboarding that adapts as you grow.