Security experts have issued urgent warnings regarding a critical vulnerability in Microsoft Windows Server Update Services (WSUS) that is currently being exploited by cybercriminals. This vulnerability, identified as CVE-2025-59287, has been assigned a severity rating of 9.8 out of 10 on the Common Vulnerability Scoring System (CVSS) scale and affects Windows Server versions from 2012 to 2025.
The issue arises from the insecure deserialization of untrusted data, allowing unauthorized attackers to execute arbitrary code on affected systems. Notably, servers without the WSUS role enabled remain unaffected. Following the initial patch released on October 14, referred to as Patch Tuesday, it became evident that the fix was insufficient. Consequently, Microsoft issued an emergency update late Thursday to address the oversight.
However, the effectiveness of this second patch is still in question. Security researcher Kevin Beaumont reported that he was able to exploit the out-of-band update, gaining remote code execution capabilities. He noted, “I was able to tamper with the updates offered to the clients and push out malicious updates to said clients.” Beaumont further explained the method of setting a deadline on WSUS for malicious payloads, allowing clients to install them simultaneously, increasing the potential impact of the attack.
On Friday, the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-59287 to its Known Exploited Vulnerabilities catalog, while the Dutch National Cybersecurity Center has also raised alarms about ongoing exploitation activities. The exploitation of this flaw appears to be widespread; if an unpatched WSUS instance is active online, it is likely already compromised.
Despite these developments, Microsoft did not provide responses to inquiries regarding the exploitation of the vulnerability. As of the publication time, the security update for CVE-2025-59287 still indicated that the vulnerability was not actively exploited, though that status is expected to change soon.
A Microsoft spokesperson acknowledged the situation, stating, “We re-released this CVE after identifying that the initial update did not fully mitigate the issue. Customers who have installed the latest updates are already protected.” However, private security firms such as Huntress and WatchTowr reported that attackers had already begun taking advantage of the vulnerability. According to Huntress, exploitation attempts commenced shortly after October 23, targeting publicly exposed WSUS instances on their default ports.
Researchers at Huntress observed attackers using the HTTP worker process and the WSUS service binary to execute commands and utilize PowerShell for scanning servers for sensitive information. This data was then collected and exfiltrated via remote webhooks, with the attackers employing proxy networks to obfuscate their activities.
While Huntress identified fewer than 25 vulnerable hosts, they noted that WSUS instances are not commonly exposed on ports 8530 and 8531. In contrast, WatchTowr”s CEO Benjamin Harris highlighted the indiscriminate nature of the exploitation, warning that any unpatched WSUS instance is likely already compromised. He emphasized that there is no legitimate reason for organizations to expose WSUS to the public internet in 2025 and urged organizations to seek guidance on securing their systems.
With over 8,000 instances reportedly exposed, including those belonging to high-value targets, the situation has raised serious concerns regarding cybersecurity in critical infrastructures.
