WSUS Vulnerability, WordPress Exploits & GlassWorm Worm – 10/24/2025

Today’s top threat is a critical Windows Server (WSUS) vulnerability now under active exploitation, prompting an emergency out-of-band patch from Microsoft and a CISA alert. Security teams are also contending with mass attacks on outdated WordPress plugins and a novel self-spreading worm targeting VS Code extensions. This summary covers the essential details you need to secure your systems against these immediate threats.

Top 5 Critical Security Alerts

• Critical WSUS flaw in Windows Server now exploited in attacks: A critical remote code execution vulnerability in Windows Server Update Service (WSUS) is now under active exploitation in the wild, with a proof-of-concept exploit publicly available. Read more
• Microsoft Releases Out-of-Band Security Update to Mitigate Windows Server Update Service Vulnerability, CVE-2025-59287: Microsoft and CISA are urging organizations to immediately apply an emergency out-of-band patch for the actively exploited WSUS vulnerability (CVE-2025-59287) to prevent remote code execution. Read more
• CISA Adds Two Known Exploited Vulnerabilities to Catalog — CISA has added the critical Microsoft WSUS flaw (CVE-2025-59287) and an Adobe Commerce vulnerability (CVE-2025-54236) to its Known Exploited Vulnerabilities (KEV) catalog, requiring immediate federal agency action. Read more
• Hackers launch mass attacks exploiting outdated WordPress plugins — A widespread campaign is actively targeting WordPress websites by exploiting old, critical remote code execution vulnerabilities in the GutenKit and Hunk Companion plugins. Read more
• Self-Spreading ‘GlassWorm’ Infects VS Code Extensions in Widespread Supply Chain Attack: A sophisticated, self-propagating worm dubbed ‘GlassWorm’ is spreading through Visual Studio Code extensions, representing a significant new software supply chain threat to developers. Read more

Threat Intelligence

• North Korean hacking group targeting European drone maker with ScoringMathTea malware — The North Korean Lazarus APT group is targeting a European drone manufacturer with ScoringMathTea malware as part of its ongoing ‘Operation DreamJob’ espionage campaign. Read more
• This browser claims “perfect privacies protection,” but it acts like malware: Security researchers warn that the ‘Universe Browser,’ which advertises strong privacy, behaves like malware and shows connections to Asian cybercrime and illegal gambling networks. Read more
• APT36 Targets Indian Government with Golang-Based DeskRAT Malware Campaign — The Pakistan-linked APT36 group is targeting Indian government entities with spear-phishing attacks to deliver ‘DeskRAT,’ a new malware written in Golang. Read more
• New LockBit Ransomware Victims Identified by Security Researchers — Check Point researchers have identified a dozen new attacks attributed to the LockBit ransomware group, with several utilizing a new version of the malware. Read more

Security Breaches & Incidents

• Fake LastPass death claims used to breach password vaults: A new phishing campaign is targeting LastPass users with fraudulent emails about legacy inheritance requests in an attempt to gain unauthorized access to their password vaults. Read more
• Cyberattack on Russia’s food safety agency reportedly disrupts product shipments: A reported DDoS attack against Russia’s food safety watchdog has disrupted critical systems, including its veterinary certification platform, impacting product shipments. Read more

Security Tools & Best Practices

• How to reduce costs with self-service password resets — Implementing secure self-service password reset tools with multi-factor authentication can significantly reduce IT help desk calls, which account for nearly 40% of their workload. Read more
• Mozilla: New Firefox extensions must disclose data collection practices — Mozilla will soon require all Firefox extension developers to clearly disclose if their add-ons collect user data or share it with third parties, enhancing user transparency. Read more

Cloud & Network Security

• Amazon: This week’s AWS outage caused by major DNS failure: Amazon has attributed the massive AWS outage that affected numerous online services on Monday to a significant failure within its DNS infrastructure. Read more

Security Standards & Frameworks

• Counter Ransomware Initiative stresses importance of supply-chain security — A global coalition is urging companies to improve their software supply-chain security as threat actors increasingly use third-party products to launch ransomware attacks. Read more

Emerging Security Technologies

• Sneaky Mermaid attack in Microsoft 365 Copilot steals data: A novel indirect prompt injection technique, the ‘Mermaid attack,’ has been demonstrated to successfully exfiltrate data from Microsoft 365 Copilot, posing a new threat to AI assistants. Read more
• OpenAI positions ChatGPT as a search engine for work data with Company Knowledge: OpenAI’s new ‘Company Knowledge’ feature for ChatGPT Enterprise allows it to index and search data from internal tools, raising important data security and governance questions. Read more