Overview

Defender Vulnerability Management is an insightful module of Defender XDR to get an overview of currently vulnerable endpoints and servers. However, a vulnerability can entail more than the latest installed patch or security update (or general software version) of a system. For a recent example:

Vulnerability: CVE-2025-59287
Details: Remote code execution vulnerability impacting Windows Server Update Service (WSUS) in Windows Server (2012, 2016, 2019, 2022, and 2025
Vulnerable: Identify servers that are currently configured to be vulnerable to exploitation (i.e., affected servers with WSUS Server Role enabled and ports open to 8530/8531) for priority mitigation.

Source: https://www.cisa.gov/news-events/alerts/2025/10/24/microsoft-releases-out-band-security-update-mitigate-windows-server-update-service-vulnerability-cve

System characteristics

Registry: HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate keys WUServer WUStatusServer values (source: https://www.ninjaone.com/script-hub/check-wsus-settings-using-powershell/) Connectivity: (TCP) ports 8530/8531 (source: https://www.ninjaone.com/script-hub/check-wsus-settings-using-powershell/)

KQL

DeviceEvents
| where RegistryKey startswith "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Update Services\\Server\\Setup"

DeviceNetworkEvents
| where LocalPort in ("8530", "8531")
| distinct DeviceName, ActionType
| join (DeviceInfo
| where IsInternetFacing == 1
)
on DeviceName
| distinct DeviceName, OSPlatform

Takeaways

Approach the exploitabilityof a a vulnerability from multiple perspectives
Think through concrete and findable characteristics of a vulnerable system (registry key/value, open ports, etc.)
Verify your findings

Quartz 4

Explorer

CVE-2025-59287

Overview

System characteristics

KQL

Takeaways

Graph View

Table of Contents