Since mid-October 2025, cybersecurity experts have observed a significant surge in scanning activity targeting TCP ports 8530 and 8531, which are used by Windows Server Update Services (WSUS). This uptick correlates with the discovery and rapid exploitation of a critical remote code execution vulnerability, CVE-2025-59287, publicly disclosed by Microsoft on October 14, 2025. The flaw, rated 9.8 on the CVSS scale, allows unauthenticated attackers to execute arbitrary code via unsafe deserialization of AuthorizationCookie data in WSUS, potentially compromising exposed servers. Microsoft issued an urgent out-of-band patch on October 23 after initial fixes proved incomplete. Following disclosure, attackers began scanning the internet—finding over 5,500 exposed WSUS servers—to execute malicious PowerShell commands and deploy malware without authentication. Experts warn that the reconnaissance scanning is a precursor to full exploitation, urging administrators to immediately audit, patch, isolate, and monitor WSUS infrastructure to prevent wide network compromise and data exfiltration. Network segmentation and forensic investigation of exposed servers are critical defenses against ongoing attacks.