CCTR.44.OCT.25

Monday morning cyber coffee read CCTR.44.OCT.25

Threat actors are exploiting a critical security vulnerability (CVE-2025-59287, CVSS 9.8) targeting WSUS instances publicly exposed to the Internet. Exploitation could enable full takeover of WSUS servers, malicious update distribution to all connected endpoints and lateral movement across domain environments.

Patch immediately. If patching is delayed, block TCP ports 8530 and 8531 from untrusted sources.

Huntress https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability

If you have WSUS exposed to the Internet, it’s IR time.

A vulnerability in Microsoft 365 Copilot (M365 Copilot) allowed attackers to steal sensitive tenant data, including recent emails, through indirect prompt injection attacks.

The flaw exploited Copilot’s integration with Office documents and its Mermaid diagram rendering feature, enabling attackers to manipulate the AI’s behaviour without direct interaction highlighting the growing risk of indirect prompt injection in enterprise AI tools.

https://www.adamlogue.com/microsoft-365-copilot-arbitrary-data-exfiltration-via-mermaid-diagrams-fixed/

TP-Link has disclosed two high risk vulnerabilities CVE-2025-6542 (CVSS 9.3) and CVE-2025-6541 (CVSS 8.6) affecting multiple Omada Gateway models commonly used by small and medium-sized businesses as integrated router, firewall and VPN solutions.

Attackers exploiting these flaws can gain full control of the device’s underlying operating system, allowing backdoor installation and further network compromise.

Immediate firmware updates are strongly recommended. If patching cannot be performed immediately, restrict access to the management interface and block any public Internet exposure of affected Omada devices.

https://www.bleepingcomputer.com/news/security/tp-link-warns-of-critical-command-injection-flaw-in-omada-gateways/