Azure Outage Post Incident Review; WSUS Vulnerability Exploitation Observed; Exchange Server on-Premises Guidance from CISA & NSA

On Wednesday, October 29, 2025, "customers and Microsoft services leveraging Azure Front Door (AFD) may have experienced latencies, timeouts, and errors." According to the company's Preliminary Post Incident Review, "an inadvertent tenant configuration change within Azure Front Door (AFD) triggered a widespread service disruption affecting both Microsoft services and customer applications dependent on AFD for global content delivery. The change introduced an invalid or inconsistent configuration state that caused a significant number of AFD nodes to fail to load properly, leading to increased latencies, timeouts, and connection errors for downstream services." The troubles began around 15:45 UTC. Status updates indicated that Microsoft rolled back versions of its environment to find the "last known good" configuration, which was pushed out starting at 17:40 UTC that same day. Azure customers were prevented from changing the configuration of their instances while Microsoft was working on the problem. The incident was declared mitigated at 00:05 UTC on October 30, 2025.

There are reports of the WSUS flaw Microsoft patched late last week being actively exploited. Microsoft released an unscheduled update for the critical (CVSS 9.8) deserialization of untrusted data vulnerability (CVE-2025-59287) after an earlier update was found to have been an incomplete mitigation. The US Cybersecurity and Infrastructure Security Agency (CISA) added the CVE to the Known Exploited Vulnerabilities (KEV) catalog on Friday, October 24. In an email, Google Threat Intelligence Group (GTIG) told The Register, "We are actively investigating the exploitation of CVE-2025-59287 by a newly identified threat actor we are tracking as UNC6512, across multiple victim organizations. Following initial access, the actor has been observed executing a series of commands to conduct reconnaissance on the compromised host and the associated environment. We have also observed exfiltration from impacted hosts." Trend Micro reported they "are seeing about 100,000 hits for exploitation of this bug within the last seven days based on our telemetry … [and their] scans show that there are just under 500,000 internet facing servers with the WSUS service enabled." Palo Alto Networks' Unit 42 team said they "observed limited impacted customers. While WSUS by default shouldn't be accessible via the internet, in cases where it is exposed, the potential is catastrophic for downstream entities."

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) have jointly published best practices guidance for Microsoft Exchange Server security. In August 2025, CISA issued an Emergency Directive requiring Federal agencies to mitigate a known Microsoft Exchange vulnerability, including guidance focused on protecting Hybrid Exchange Deployments; the new guidance is aimed at helping organizations protect on-premises Microsoft Exchange Servers. As CyberScoop notes, "the recommendations aren’t particularly new and should come as no surprise to security and IT professionals. The guide synthesizes security advice shared by Microsoft, security experts and the industry at large. The majority of works cited in the guide, more than 60, link back to blogs and advice scattered around Microsoft sites." In a related story, Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI), the country's Federal Office for Information Security, says that 92 percent of Exchange Servers era in Germany are running software that is no longer supported.

Developers at Progress Software have disclosed a high-severity (CVSS 8.2) uncontrolled resource consumption vulnerability in Progress MOVEit Transfer (AS2 module). The vulnerability, CVE-2025-10932, affects all versions of MOVEit Transfer. Users are urged to update to one of the fixed versions: MOVEit Transfer 2023.1.16 (15.1.16); MOVEit Transfer 2024.1.7 (16.1.7); or MOVEit Transfer 2025.0.3 (17.0.3). The update entails extra steps once installed. As Heise explains, "Since the patch restricts access via a list of allowed IP addresses, administrators must manually enter the respective addresses in the settings (Settings->Security Policies->Remote Access->Default Rules)." The Progress Software vulnerability article notes that "Progress MOVEit Cloud has already been upgraded to the patched version."

A vulnerability in Chromium's Blink rendering engine could be exploited to cause denial-of-service conditions, crashing the browser and potentially freezing the host system. The Chrome browser has a 70 percent market share. The flaw, which is as yet unpatched, affects Chromium versions 143.0.7483.0 and later. Jose Pino, the researcher who detected the vulnerability, notified the Chromium team of the issue in late August 2025. In research published on GitHub, Pino says "the attack vector originates from the complete absence of rate limiting on document[.]title API updates. "This allows injecting millions of DOM mutations per second, and during this injection attempt, it saturates the main thread, disrupting the event loop and causing the interface to collapse."

The US Cybersecurity and Infrastructure Security Agency (CISA) has added four CVEs to the Known Exploited Vulnerabilities (KEV) catalog. A pair of vulnerabilities in DELMIA Apriso could be chained to attain "full application compromise," according to researchers at ProjectDiscovery. CVE-2025-6204 is a high-severity (CVSS 8.0) code injection vulnerability that could lead to arbitrary code execution; CVE-2025-6205 is a critical (CVSS 9.1) missing authorization vulnerability that could allow attackers to gain privileged access. Both flaws affect DELMIA Apriso from Release 2020 through Release 2025. Dassault Systèmes addressed both issues in August 2025. CVE-2025-24893 is a critical (CVSS 9.8) evaluation injection vulnerability in XWiki Platform that could lead to arbitrary remote code execution. The vulnerability was initially disclosed in February 2025 and was added to CISA’s KEV on October 30, 2025, based on evidence of active exploitation. CVE-2025-41244 is a high-severity (CVSS 7.8) privilege defined with unsafe actions vulnerability in Broadcom VMware Aria Operations and VMware Tools. The DELMIA Apriso vulnerabilities must be mitigated by November 18, 2025; the other two vulnerabilities must be mitigated by November 20, 2025.

According to an alert from the Canadian Centre for Cyber Security, cyber threat actors have been targeting Internet-accessible industrial control systems. In one instance, cyber intruders manipulated water pressure values at a water utility, "resulting in degraded service for [the facility's] community." In a second instance, intruders triggered false alarms at a gas and oil company. In a third instance, intruders altered temperature and humidity levels at a grain drying silo on a farm. The Canadian Centre for Cyber Security and the Royal Canadian Mounted Police are investigating the incidents. The alert notes that "unclear division of roles and responsibilities often creates gaps leaving critical systems unprotected," and recommends that "provincial and territorial governments ... coordinate with municipalities and organizations within their jurisdictions to ensure all services are properly inventoried, documented, and protected. This is especially true for sectors where regulatory oversight does not cover cyber security, such as Water, Food, or Manufacturing. Municipalities and organizations should work closely with their service providers to ensure that managed services are implemented securely, maintained throughout their lifecycle and based on clearly defined requirements."

Texas-based Ribbon Communications has disclosed that it discovered a breach of its IT network about two months ago. In a Form 10-Q filing with the US Securities and Exchange Commission (SEC), Ribbon writes, "in early September 2025, the Company became aware that unauthorized persons, reportedly associated with a nation-state actor, had gained access to the Company’s IT network ... [and] the Company has preliminarily determined that initial access by the threat actor may have occurred as early as December 2024, with final determinations dependent on completion of the ongoing investigation." Ribbon Communications provides communications network backbone services to major organizations, including Verizon, CenturyLink, and the US Defense Department. Ribbon adds that while they "are not aware of evidence indicating that the threat actor accessed or exfiltrated any material information[,] several customer files saved outside of the main network on two laptops do appear to have been accessed by the threat actor and those customers have been notified."

Conduent Business Solutions has begun notifying affected individuals that their personal data were compromised in a breach that spanned several months, from October 21, 2024, through January 13, 2025. The business process outsourcing company "provides third-party printing/mailroom services, document processing services, payment integrity services, and other back-office support services." The attackers exfiltrated data belonging to more than 10 million individuals; the compromised information includes names, addresses, birth dates, Social Security numbers, and health insurance and medical data.