03.11.25 Threat Report

This week’s threat report highlights: a critical Windows Server WSUS vulnerability is under active attack, Chrome zero-day exploits are linked to commercial surveillance vendors, and new side-channel research threatens trusted execution environments. Here’s what leaders and technical teams need to know to stay protected…Windows Server WSUS remote code execution (CVE-2025-59287) under active exploitation

Microsoft released out-of-band updates for a critical WSUS bug (CVE-2025-59287) that allows unauthenticated remote code execution via insecure deserialisation. A proof-of-concept is public, and exploitation has been observed in the wild. CISA added the flaw to the KEV catalogue and directed federal agencies to patch swiftly. Reporting also notes thousands of internet-exposed WSUS instances still visible, underscoring the risk of rapid mass exploitation if servers remain unpatched or accessible on default ports. Reboots are required after patching to complete mitigation.

NHS and private health estates commonly use WSUS for controlled Windows updates. Compromise of WSUS can provide adversaries with domain-level footholds and a software-supply vector to push malicious updates to clinical and back-office endpoints, risking widespread disruption.

Recommendations:

• Patch all WSUS servers immediately; follow Microsoft’s out-of-band guidance and reboot. 

• Restrict WSUS to internal networks; block 8530/8531 externally; enforce TLS and authentication.

• Hunt for suspicious WSUS admin actions and unexpected client approvals; review server logs.

• Validate endpoint update chains and EDR coverage on critical clinical workstations.

Chrome zero-day activity linked to commercial spyware vendor

Fresh analyses tie earlier Chrome zero-day exploitation (CVE-2025-2783) to the Italian spyware vendor Memento Labs. According to researchers, exploits were used to deliver surveillance tools via a sandbox-escape chain. While the original patches landed months ago, the new reporting highlights continued threat actor interest in browser chains for espionage and credential theft. Organisations should ensure enterprise browsers are up-to-date and harden extension and plugin policies, as attackers often pivot from a compromised browser session to cloud accounts.

Clinical and admin staff rely on browsers for cloud EHR portals, imaging viewers and email. A browser-level exploit can bypass traditional endpoint controls and enable credential theft or session hijack, opening a path to sensitive patient systems.

Recommendations:

• Enforce rapid Chrome updates; verify latest stable version across managed fleets.

• Lock down extensions; disable developer mode and restrict sideloading.

• Require phishing-resistant MFA for all clinical and admin SaaS access.

TEE.Fail side-channel attack targets Intel SGX/TDX and AMD SEV-SNP enclaves (DDR5)

Academic researchers disclosed TEE.Fail, a side-channel technique capable of extracting secrets from trusted execution environments on modern Intel and AMD platforms using DDR5 memory. While this is research-grade and not yet observed in healthcare incidents, it demonstrates practical avenues to leak keys or sensitive workload data from environments that many assume are strongly isolated (e.g., secure enclaves used by analytics or cloud services). Mitigations will likely involve microcode, firmware and software-level changes over time. 

Hospitals and health-tech increasingly use cloud and confidential-computing features for analytics and AI. Weakening of TEEs could expose models, encryption keys or pseudonymised datasets, affecting privacy and regulatory compliance.

Recommendations:

• Track vendor advisories for microcode/firmware updates; patch hypervisors and kernels promptly.

• Minimise secrets stored in enclaves; implement key rotation and envelope encryption.

• Review cloud provider statements on enclave hardening and isolation guarantees.

Ransomware payment rates drop to record lows — attacker tactics shift

New industry data indicates just 23% of victims are paying ransoms, the lowest on record. While positive, this is prompting shifts in extortion playbooks: faster data-exfiltration, multi-extortion (public shaming, direct outreach to customers/patients) and shorter dwell times. For health organisations, the business model pressure may increase harassment of patients and staff, requiring robust crisis comms and legal readiness alongside technical controls.

Even if you refuse to pay, attackers may escalate pressure by contacting patients, partners or regulators to force disruption. Preparedness needs to span technical response and safeguarding communications.

Recommendations:

• Maintain tested offline backups; practise restore drills for EPR, PACS and critical apps.

• Pre-approve breach comms workflows with legal, IG and clinical leadership.

• Enforce least privilege and detect rapid data staging to block exfiltration early.

Focus this week on remediating WSUS servers, tightening browser controls, and staying close to firmware and microcode advisories. Blend technical controls with prepared communications plans to blunt extortion pressure.

Contact us to learn more about our Threat Intelligence Service