Week that Was for 11.01.25

Top stories.

• Attackers are exploiting a critical WSUS flaw.
• Nation-state hackers breached a telecom technology vendor.
• US agencies support proposed ban on TP-Link products.
• Microsoft sustains widespread Azure outage.
• Hundreds flee bombed Myanmar scam compound.
• Former L3 Harris exec pleads guilty to selling exploits to Russia.

Attackers are exploiting a critical WSUS flaw.

Threat actors are actively exploiting a critical remote code execution vulnerability (CVE-2025-59287) affecting Windows Server Update Services (WSUS), the Register reports. Microsoft issued an emergency patch for the flaw last Thursday. Palo Alto Networks' Unit 42 observed exploitation of the flaw within hours of Microsoft's patch.

Dustin Childs, Head of Threat Awareness at Trend Micro's Zero Day Initiative, told the Register, "We are seeing about 100,000 hits for exploitation of this bug within the last seven days based on our telemetry," Dustin Childs, Trend Micro's Zero Day Initiative head of threat awareness, told the Register, "Our scans show that there are just under 500,000 internet-facing servers with the WSUS service enabled. Due to the nature of the bug, we expect just about every affected server to be hit at some point."

Google's Threat Intelligence Group added in a statement to the Register, "We are actively investigating the exploitation of CVE-2025-59287 by a newly identified threat actor we are tracking as UNC6512, across multiple victim organizations. Following initial access, the actor has been observed executing a series of commands to conduct reconnaissance on the compromised host and the associated environment. We have also observed exfiltration from impacted hosts."

Nation-state hackers breached a telecom technology vendor.

Reuters reports that nation-state hackers breached Texas-based telecom services company Ribbon Communications and remained within the company's network for over a year. Ribbon supplies technology that facilitates real-time voice and data communications; its customers include Verizon, BT, CenturyLink, Deutsche Telekom, SoftBank Group, TalkTalk, and Tata. The company also serves the US Defense Department. Ribbon said in a statement, "While we do not have evidence at this time that would indicate the threat actor gained access to any material information, we continue to work with our third-party experts to confirm this. We have also taken steps to further harden our network to prevent any future incidents."

Ribbon hasn't attributed the attack to any particular nation-state. Pete Renals, Director of National Security Programs for Palo Alto Networks' Unit 42, told Reuters that Ribbon's "central role as a supplier to sensitive government and infrastructure clients makes Ribbon a lucrative target for state-aligned actors, particularly from China and Russia."

US agencies support proposed ban on TP-Link products.

The Washington Post reports that more than half a dozen US Federal departments and agencies support the Commerce Department's proposed ban on TP-Link routers, citing national security risks stemming from the company's ties to China. TP-Link Systems is based in California, but was spun off from China's TP-Link Technologies. The Post cites sources as saying an interagency review—backed by Homeland Security, Defense, and Justice—concluded that Chinese government directives could still influence the US company.

A TP-Link spokesperson told the Post, "TP-Link vigorously disputes any allegation that its products present national security risks to the United States. TP-Link is a U.S. company committed to supplying high-quality and secure products to the U.S. market and beyond."

Microsoft sustains widespread Azure outage.

A widespread outage affected Microsoft Azure on Wednesday following "an inadvertent configuration change" that triggered a DNS failure, CNBC reports. The outage brought down Azure and Microsoft 365, causing "critical" issues in every region the company serves around the world, Tom's Hardware says.

WIRED notes that the incident, along with last week's AWS outage, highlights the "brittleness" of the cloud ecosystem, where major cloud providers can become single points of failure affecting a multitude of critical services.

Hundreds flee bombed Myanmar scam compound.

The Thai military says stragglers from a major Myanmar-based scam center continue to cross the border into Thailand, following a bombing operation against the compound carried out by Myanmar's military last week, the AP reports. Reuters says more than 1,500 people from at least 28 countries have fled from the compound into Thailand over the past week. Most of these people are victims of human trafficking and forced labor, pressured to carry out online scams under threat of violence.

Many of the individuals come from India, China, the Philippines, Vietnam, Ethiopia, and Kenya. Authorities in Thailand are working to process the victims and repatriate them to their home countries.

Former L3 Harris exec pleads guilty to selling exploits to Russia.

A former L3 Harris executive has pleaded guilty to stealing at least eight exploits and selling them to a Russian government contractor, CyberScoop reports. 39-year-old Peter Williams, an Australian national who admitted to stealing the exploits from L3 Harris subsidiary Trenchant, will likely face between seven and nine years in prison. He'll be sentenced in January 2026.

The US Justice Department stated, "[F]rom approximately 2022 through 2025, Williams improperly used his access to the defense contractor’s secure network to steal the cyber exploit components that constituted the trade secrets. Williams resold those components in exchange for the promise of millions of dollars in cryptocurrency."