Microsoft releases urgent fix for actively exploited WSUS vulnerability (CVE-2025-59287)
Microsoft has released an out-of-band security update that “comprehensively” addresses CVE-2025-59287, a remote code execution vulnerability in the Windows Server Update Services (WSUS) that is reportedly being exploited in the wild.
About CVE-2025-59287
WSUS is a tool that helps organizations manage and distribute Microsoft updates across multiple computers.
Instead of every PC downloading updates from Microsoft’s servers, WSUS downloads the updates and stores them, then distributes them to all computers on the network that connect to it.
CVE-2025-59287 is a critical deserialization of untrusted data vulnerability that may allow an unauthorized attacker to execute code on vulnerable machines by sending a specially crafted event to the WSUS server. No user interaction is required to trigger it.
The vulnerability affects only Windows Server machines that have the WSUS Server role enabled, and it’s not enabled by default, Microsoft noted.
The company pushed out a fix for the flaw on October 2025 Patch Tuesday, and Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, advised admins to implement it quickly as the vulnerability is wormable between affected WSUS servers and WSUS servers are an attractive target.
The fix was apparently not comprehensive, so Microsoft now released an additional update.
A public PoC, and reports of in-the-wild exploitation
CVE-2025-59287 exploitation from the internet should not be possible if the network is properly configured (i.e., WSUS is operated behind a firewall).
But, as the German Federal Office for Information Security (BSI) pointed out, if an attacker has already gained access to the internal network or if the perimeter firewall is misconfigured, the vulnerability could be used to gain full control of the WSUS server and to extend the attack to other services.
Compromised WSUS servers could, for example, be used to distribute malicious updates to client devices.
The urgency to install this update has increased as a security researcher published a technical rundown of CVE-2025-59287 and proof-of-concept exploit code earlier this week.
Also, the Dutch National Cyber Security Centre warned today that it “has learned from a trusted partner that abuse of the vulnerability (…) was observed on October 24, 2025.”
Update or disable WSUS
This out-of-band update has been provided for all supported Windows Server versions, and systems will need to be rebooted once they have been updated.
If the update cannot be implemented immediately, admins can either temporarily disable the WSUS server role or render WSUS non-operational by blocking inbound traffic to Ports 8530 and 8531 on the host firewall. Of course, that also means that clients will no longer receive updates from the server.
“This is a cumulative update, so you do not need to apply any previous updates before installing this update, as it supersedes all previous updates for affected versions. If you haven’t installed the October 2025 Windows security update yet, we recommend you apply this OOB update instead,” Microsoft added.
UPDATE (October 25, 2025, 06:57 p.m. ET):
CISA has added CVE-2025-59287 to its Known Exploited Vulnerabilities catalog and directed US federal civilian agencies to mitigate it by November 14, 2025.
Dutch company Eye Security told Help Net Security that they are the company that has identified and shared with NCSC-NL the first successful exploit attempts of the vulnerability on Friday morning.
The attack they spotted was very different from the PoC exploit by Hawktrace and shows that the threat actor had capabilities beyond that of a script kiddie, Eye Security researcher Bas van den Berg noted.
“We can reproduce the RCE and it feels like it’s complex enough to be a state actor or advanced ransomware gang that has weaponized the CVE in only a few days,” the company’s CTO Piet Kerkhofs told us.
The firm has shared indicators of compromise.
Huntress also detected attacks, “beginning at around 2025-10-23 23:34 UTC”, performing reconnaissance: identifying the logged-in user, listing all user accounts in the Active Directory domain, grabbing the system’s network settings.
“Attackers leveraged exposed WSUS endpoints to send specially crafted requests (multiple POST calls to WSUS web services) that triggered a deserialization RCE against the update service,” they said.
“Exploitation activity included spawning Command Prompt and PowerShell via the HTTP worker process and WSUS service binary. A base64-encoded payload was decoded and executed in PowerShell; the payload enumerated servers for sensitive network and user information and extracted results to a remote webhook.”
Huntress says that four of their customers were hit, but that they expect exploitation of CVE-2025-59287 to be limited: “WSUS is not often exposing ports 8530 and 8531. Across our partner base, we have observed ~25 hosts susceptible.”
Eye Security has pinpointed approximately 8,000 internet-facing servers with one of those ports open, though they could not check whether they were vulnerable. Considering that the emergency fix was pushed out less than two days ago, it’s likely that not many have been patched yet, though.
UPDATE (November 3, 2025, 04:35 a.m. ET):
Attackers are exploiting the flaw to deploy infostealer malware on unpatched Windows servers.
Johannes Ullrich, Dean of Research at the SANS Technology Institute, says that their sensors detected a significant increase in scans for port 8530/TCP and 8531/TCP over the course of last week.
“Some of these reports originate from Shadowserver, and likely other researchers, but there are also some that do not correspond to known research-related IP addresses,” he noted.
“Sufficient details have been made public about the attack to suggest that any exposed vulnerable servers should be considered compromised at this point.”
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!