Critical WSUS Vulnerability Requires Immediate Attention
Microsoft Releases Urgent Security Update
On Thursday, Microsoft issued an urgent out-of-band security update to address a serious vulnerability affecting the Windows Server Update Services (WSUS). This flaw, identified as CVE-2025-59287, has received significant attention due to its potential for exploitation, with a proof-of-concept (PoC) exploit publicly available. The vulnerability has been actively exploited in the wild, prompting swift action from Microsoft.
Details of the Vulnerability
CVE-2025-59287 is classified as a remote code execution (RCE) vulnerability, carrying a high Common Vulnerability Scoring System (CVSS) score of 9.8. Originally introduced in a Patch Tuesday update, this flaw stems from a critical oversight related to the deserialization of untrusted data within WSUS. If successfully exploited, it allows unauthorized users to execute arbitrary code over a network. It’s important to note that only Windows servers with the WSUS Server Role enabled are affected; servers without this role remain secure.
Three researchers—MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange from CODE WHITE GmbH—played a pivotal role in discovering and disclosing this vulnerability to Microsoft.
Mechanics of the Attack
In a typical attack scenario, an unauthenticated remote attacker could craft a malicious event designed to exploit the unsafe deserialization in a legacy serialization method. This vulnerability primarily revolves around the deserialization of AuthorizationCookie objects sent to the GetCookie() endpoint. According to Batuhan Er, a security researcher at HawkTrace, the exploit occurs when encrypted cookie data is decrypted using AES-128-CBC and then deserialized via the BinaryFormatter without adequate type validation. This flaw enables attackers to execute code with system-level privileges.
Historically, Microsoft has recommended developers avoid using BinaryFormatter due to associated security risks when handling untrusted input. As part of ongoing security improvements, the implementation of BinaryFormatter was eliminated from the upcoming .NET 9 release scheduled for August 2024.
Patch Availability and Recommendations
To address CVE-2025-59287 adequately, Microsoft has rolled out a security update for several supported Windows Server versions, including Windows Server 2012, 2016, and 2022, among others. Users are urged to reboot their systems after applying the update to ensure full protection.
For those unable to implement the out-of-band update immediately, Microsoft has suggested two workarounds:
- Disable the WSUS Server Role if it is currently enabled.
- Block inbound traffic to Ports 8530 and 8531 on the server’s firewall.
Microsoft emphasizes that these workarounds should only be undone once the patch has been successfully installed.
Insights from Cybersecurity Experts
Recent reports from the Dutch National Cyber Security Centre (NCSC) indicate that exploitation of CVE-2025-59287 was observed as early as October 24, 2025. Eye Security first noted attempts to exploit the vulnerability targeting a specific customer, demonstrating the proactive nature of attackers. The malicious payload relies on Base64-encoded data and utilizes cmd.exe for command execution, cleverly avoiding direct log entry.
Cybersecurity firm Huntress also corroborated that threat actors began targeting publicly exposed WSUS instances on default ports around October 23, 2025. While the exploitation of this vulnerability appears limited, due to the relatively uncommon exposure of the relevant ports, it underscores the urgency for timely patch application.
Conclusion
Given the active exploitation of CVE-2025-59287 and the availability of a PoC exploit, it is crucial for system administrators and organizations to prioritize the installation of Microsoft’s patch. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies address it by November 14, 2025.
As the situation continues to evolve, impacted users should take immediate steps to enhance their security posture and stay informed about any subsequent updates from Microsoft.
