Week Ending October 31, 2025
Executive Summary
This week was a reminder that even the systems built to protect us can become the source of risk. A newly discovered flaw in Windows Server Update Services (WSUS) (CVE-2025-59287) is being actively exploited, allowing attackers to distribute malicious “updates” across entire districts. If you still rely on WSUS, patch now and verify it’s properly segmented and using valid certificates before resuming normal sync operations.
Two recent incidents highlight why vigilance still matters. In New York, Voorheesville Central School District lost nearly $1 million in a fraudulent bank transfer tied to a likely business-email compromise. And in Texas, Uvalde CISD was forced to close schools after ransomware crippled phones, HVAC controls, and payroll – proof that classroom IT and building systems are now inseparable.
At the same time, there’s ongoing fallout from the PowerSchool / Salesforce integration issue, where stolen tokens and connected-app abuse exposed vendor environments. Even if you weren’t directly impacted, now is the time to ask vendors about their token management and connected-app reviews.
Add a Chrome / Chromium zero-day to the mix, and the pattern becomes clear: attackers are focusing on trusted tools – update servers, browsers, and cloud integrations. The best defense this week is a quick audit of the systems you assume are safe. A few minutes of validation today can prevent a very public problem tomorrow.
Itemized Findings
Microsoft WSUS Remote Code Execution (CVE-2025-59287) – Critical
It’s every patch admin’s nightmare: the tool you use to keep systems secure becomes the threat itself. That’s what’s happening with this new WSUS vulnerability, now being actively exploited in the wild. An attacker who gets in can use WSUS’s trusted update channel to push out malicious “updates” across your entire fleet – servers, desktops, everything.
For most districts, WSUS isn’t something people think about often; it just quietly does its job. That’s what makes this dangerous. If you’re still using it, patch immediately, make sure the server is isolated from the open internet, and confirm it’s only reachable by authenticated systems. Also verify that WSUS is enforcing TLS and valid code-signing certificates before distributing updates.
If you had any custom update rules or paused approvals in past years, now’s a good time to revisit those. A quick audit of your WSUS logs and update history since mid-October could tell you if anything unexpected slipped through.
If you have engaged Lockstep to manage your organization’s patching services, rest assured that we have already addressed this vulnerability.
Chrome / Chromium Zero-Day Exploit – Moderate
Browser vulnerabilities rarely make front-page news, but this one deserves attention. A new Chrome/Chromium flaw (CVE-2025-2783) has been spotted in real spyware campaigns. With so many student and staff devices running Chrome, one unpatched browser could become a quick entry point for attackers.
The good news is that Google has already issued a fix. Districts should enforce automatic browser updates wherever possible and restrict unnecessary extensions – particularly ones with access to tabs, cookies, or clipboard data. If your MDM can force a version baseline, this is a good week to use it.
For student devices, encourage short, simple messaging: “Restart your Chromebook today – it applies security updates.” It sounds trivial, but it works.
PowerSchool / Salesforce Integration Incident – Moderate
The trouble with cloud integrations is that no one really knows how many there are until something breaks. The latest example comes from a Drift–Salesloft–Salesforce token-theft campaign, which exposed a number of connected environments – including PowerSchool’s Salesforce-based customer-support portal.
Even if your district wasn’t directly involved, you’re still connected to that ecosystem. It’s worth asking every vendor that uses Salesforce whether they’ve rotated tokens or reviewed OAuth permissions in the past month. If your own district runs Salesforce, pull an inventory of connected apps and revoke anything you don’t actively use.
Voorheesville (NY) $1 Million Treasury Fraud – Moderate
This story is a familiar one, but it still stings: a district finance office gets an email that looks legitimate; a transfer is approved, and money disappears. Voorheesville Central School District in New York lost about $1 million this month in what appears to be a classic business-email-compromise case.
The district was able to recover part of the funds, but it’s another warning that financial controls matter just as much as firewalls. Dual approvals for every wire or ACH transfer, daily reconciliation, and a rule that any bank-account change must be verified by phone – those simple steps still stop the majority of these attacks.
Ransomware Impact on Uvalde CISD – Informational
Uvalde CISD in Texas spent nearly a week offline after a ransomware attack took down phones, HVAC controls, security cameras, and payroll systems. It’s a stark example of how “technology” in schools now goes well beyond the computer lab. When HVAC and door-access systems are connected to the same network as instructional tools, attackers can easily disrupt daily operations.
This incident didn’t involve data theft so much as plain old disruption – and that can be just as damaging. It’s a good moment to review how your operational technology (OT) is segmented from your instructional and administrative networks. Even a few simple VLAN and firewall-rule changes can dramatically reduce cross-impact.
Recommended Actions
- WSUS – Patch First, Verify Second
Install Microsoft’s out-of-band patch for CVE-2025-59287, confirm the server isn’t internet-exposed, enforce TLS, and validate update signatures. Check logs for unusual activity since mid-October; small anomalies now may prevent a big cleanup later.
- Browsers – Close the Zero-Day Window
Push the newest Chrome/Edge update and prune unnecessary extensions. Managed Chromebooks can update silently; for unmanaged ones, a quick “restart today” message is often enough.
- Third-Party SaaS – Trust, but Verify
Ask vendors tied to Salesforce or PowerSchool if they’ve rotated tokens or audited app permissions. Short-lived tokens and least-privilege scopes are the goal. Review your own Salesforce connected-app list while you’re at it.
- Finance Offices – Rehearse the Basics
Dual approvals and call-backs still stop most treasury fraud. Host a 30-minute tabletop with your business office this month; it’s time well spent.
- OT Segmentation – Prevent Collateral Damage
Work with facilities to map HVAC, cameras, and access controls. Separate them from instructional networks with VLANs and firewall rules. It’s the simplest form of resilience you can build.
What Next?
If any of these issues raise questions about your own environment, don’t hesitate to reach out to your Lockstep Account Executive. Whether it’s a quick conversation about patching priorities, or a deeper look at your district’s readiness around WSUS, browser security, or third-party integrations, our team can help you assess where things stand and what steps would make the biggest difference. Sometimes a short, focused review is all it takes to turn concern into confidence.
