Microsoft releases urgent fix for actively exploited WSUS vulnerability (CVE-2025-59287)

Microsoft has released an out-of-band security update that “comprehensively” addresses CVE-2025-59287, a remote code execution vulnerability in the Windows Server Update Services (WSUS) that is reportedly being exploited in the wild.

About CVE-2025-59287

WSUS is a tool that helps organizations manage and distribute Microsoft updates across multiple computers.

Instead of every PC downloading updates from Microsoft’s servers, WSUS downloads the updates and stores them, then distributes them to all computers on the network that connect to it.

CVE-2025-59287 is a critical deserialization of untrusted data vulnerability that may allow an unauthorized attacker to execute code on vulnerable machines by sending a specially crafted event to the WSUS server. No user interaction is required to trigger it.

The vulnerability affects only Windows Server machines that have the WSUS Server role enabled, and it’s not enabled by default, Microsoft noted.

The company pushed out a fix for the flaw on October 2025 Patch Tuesday, and Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, advised admins to implement it quickly as the vulnerability is wormable between affected WSUS servers and WSUS servers are an attractive target.

The fix was apparently not comprehensive, so Microsoft now released an additional update.

A public PoC, and reports of in-the-wild exploitation

CVE-2025-59287 exploitation from the internet should not be possible if the network is properly configured (i.e., WSUS is operated behind a firewall).

But, as the German Federal Office for Information Security (BSI) pointed out, if an attacker has already gained access to the internal network or if the perimeter firewall is misconfigured, the vulnerability could be used to gain full control of the WSUS server and to extend the attack to other services.

Compromised WSUS servers could, fore example, be used to distribute malicious updates to client devices.

The urgency to install this update has increased as a security researcher published a technical rundown of CVE-2025-59287 and proof-of-concept exploit code earlier this week.

Also, the Dutch National Cyber Security Centre warned today that it “has learned from a trusted partner that abuse of the vulnerability (…) was observed on October 24, 2025.”

Update or disable WSUS

This out-of-band update has been provided for all supported Windows Server versions, and systems will need to be rebooted once they have been updated.

If the update cannot be implemented immediately, admins can either temporarily disable the WSUS server role or render WSUS non-operational by blocking inbound traffic to Ports 8530 and 8531 on the host firewall. Of course, that also means that clients will no longer receive updates from the server.

“This is a cumulative update, so you do not need to apply any previous updates before installing this update, as it supersedes all previous updates for affected versions. If you haven’t installed the October 2025 Windows security update yet, we recommend you apply this OOB update instead,” Microsoft added.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!