Critical WSUS flaw reported in Schneider Electric Foxboro DCS systems

Schneider Electric has issued a security advisory regarding a critical vulnerability affecting its EcoStruxure Foxboro DCS Advisor services, caused by a flaw in Microsoft Windows Server Update Services (WSUS). The EcoStruxure Foxboro DCS Advisor is an optional component of the EcoStruxure Foxboro DCS system that enables remote connectivity and diagnostics by continuously monitoring key performance indicators on the I/A Series or Control Software system's process. 

The vulnerability is tracked as CVE-2025-59287 (CVSS score 9.8), a deserialization of untrusted data that enables unauthenticated attackers to execute arbitrary code with system-level privileges on affected servers. 

The vulnerability allows threat actors to send crafted payloads to WSUS web endpoints, typically over ports 8530 and 8531, triggering remote code execution that runs with SYSTEM privileges.

Security researchers and incident responders have observed active exploitation in the wild shortly after public proof-of-concepts became available. Reports indicate that threat actors have actively targeted internet-exposed WSUS instances.

The affected product is the Schneider Electric EcoStruxure Foxboro DCS Advisor services running on systems that utilize Microsoft Windows Server Update Services for patch distribution or reporting. Schneider Electric has confirmed that any deployment of the Foxboro DCS Advisor that hosts or relies on WSUS functionality is vulnerable to exploitation.

Schneider Electric has directed customers to apply Microsoft's official patches KB5070882 and KB5070884. Customers should contact Schneider Electric's Global Customer Support to verify that updates have been successfully applied. For organizations unable to immediately deploy patches, Schneider Electric recommends blocking WSUS ports (8530/8531) at the firewall level or disabling WSUS services until patches can be applied.