Capacitify

7 w

Critical Windows Update Glitch: USB & Performance Issues Detected

At Xphiz Digital Technologies, we stay ahead of critical system updates to ensure uninterrupted operations for our clients.
Microsoft’s latest cumulative update - KB5066835 (OS Build 26100.6899) - released on October 14, 2025, is causing major disruptions across Windows 11 (24H2/25H2) and Windows Server 2025 environments.

🔹 Primary Issue:
USB keyboards and mice become completely unresponsive in the Windows Recovery Environment (WinRE) - preventing access to vital recovery and repair tools.
🔹Other Reported Problems:
• Failed localhost network connections
• Update installation errors
• Blank File Explorer preview panes
• Sluggish system performance and app delays
Microsoft has acknowledged the issue (October 17) and is developing a fix.

✅ Recommended Actions:
• Avoid using WinRE until the patch is fixed
• Use Windows installation media for recovery tasks
• Uninstall KB5066835 only if absolutely necessary (note: this reopens security risks)
• Pause automatic updates in critical systems

At Xphiz Digital Technologies, our IT team continues to test updates in controlled environments before full deployment - safeguarding system integrity and minimizing operational risks.

Key Insight: Even essential security patches can trigger unexpected issues. Proactive monitoring, staged deployment, and reliable backup processes remain the best defense against downtime.
#xphizdigitaltechnologies #windows11 #microsoftupdate #itsupport #systemadmin #cybersecurity #techupdate #xphiz

Comment

7 w

What happened in EASY terms:
• WSUS (Windows Server Update Services) is Microsoft’s tool that companies use to centrally download and push Windows updates to their computers.
• A critical bug (CVE-2025-59287, CVSS 9.8) was fixed by Microsoft in October 2025. Security researchers / attackers have published a proof-of-concept (PoC) exploit that shows how the bug can be used in the real world.

WHY SO BAD - (simple analogy)
Think of WSUS as a trusted mailroom. WSUS receives a small encrypted note (an “AuthorizationCookie”). Because of a bug, WSUS decrypts that note and then trusts the contents so blindly that it treats those contents like executable instructions. An attacker can craft a malicious note so that when WSUS “reads” it, the server ends up running attacker code with SYSTEM privileges - the highest level on Windows. Because the service is network-facing inside many networks, an attacker doesn’t even need to be logged in (it’s unauthenticated).

Technically: WSUS uses .NET’s Binary Formatter to deserialize decrypted cookie data. Binary Formatter can instantiate objects during deserialization and, with the fed attackers data, it can be tricked into running code. That unsafe deserialization is the root cause.

REAL RISKS
• An attacker who successfully exploits this gets SYSTEM, so they can install ransomware, move laterally, steal updates, or modify update content - very high impact for enterprises.
• WSUS servers could be used to infect many machines if attackers tamper with update infrastructure (i.e., it could be wormable(virus) inside a network).

IMMEDIATE ACTIONS (what to do now)
1. Patch WSUS immediately - apply Microsoft’s security update for CVE-2025-59287 on every WSUS server. This is the primary fix. (If you manage many servers, prioritize internet-facing and central WSUS servers.)
2. If you can’t patch immediately:
a. Block network access to your WSUS server from untrusted networks. Restrict access to management hosts only (firewall rules / NSGs). WSUS typically listens on web ports (HTTP/HTTPS) - limit those.
b. Consider isolating the WSUS server from the general LAN until patched.
3. Harden and monitor:
• Review IIS / HTTP access logs to look for suspicious requests targeting WSUS endpoints (the PoC abuses cookie endpoints).
• Watch for unexpected child processes, new services, unusual network connections from the WSUS host, or modified update files.
4. Search for compromise indicators: look for signs of code execution with SYSTEM around the time of suspicious requests, new admin accounts, or changes to update catalogs. If you suspect compromise, follow your incident response plan and treat the server as breached (isolate, preserve logs, investigate).

DETECTION HINTS (quick checks)
• Check WSUS/IIS logs for unexpected POSTs to cookie/get endpoints or strange Base64/encrypted payloads.
• Look in Event Viewer for .NET application errors around WSUS service restarts or crashes.
• Scan endpoints downstream of WSUS for newly installed/modified software or unexpected connections back to unknown hosts

TECHNICAL SUMMARY (one word understanding)
CVE-2025-59287 is an unsafe-deserialization bug in WSUS’s handling of encrypted AuthorizationCookie data that lets an unauthenticated attacker send a crafted cookie which, when decrypted and deserialized, leads to remote code execution as SYSTEM. A working PoC exists, so apply Microsoft’s patch and/or isolate WSUS immediately.

Still feel you dont need an IT Support or a Cybersecurity Expert for your Business/Office? We work tirelesly so support and secure.
#capacitify #itsupport #cybercrime #cyberworld @cybersecuritynews.com