Microsoft has released an emergency security update to fix a critical remote code execution (RCE) vulnerability in its Windows Server Update Services (WSUS) platform. The flaw, now tracked as CVE-2025-59287, has a CVSS score of 9.8, making it one of the most severe security issues discovered in recent months. What’s more concerning is that the exploit is publicly available and hackers are already exploiting it in the wild.
The vulnerability affects Windows Server systems running the WSUS Server Role. WSUS is a key Microsoft service that helps organizations manage and deploy Windows updates across their network. The flaw stems from a deserialization of untrusted data, which allows an attacker to execute arbitrary code on the server without any authentication.
According to Microsoft and multiple security researchers, the issue occurs due to unsafe handling of AuthorizationCookie objects sent to the GetCookie() endpoint. These objects are encrypted using AES-128-CBC and then deserialized through BinaryFormatter, a mechanism that Microsoft has previously warned developers against using because of its security risks.
If exploited successfully, attackers can gain SYSTEM-level privileges, giving them full control of the affected server — the highest possible privilege in Windows environments.
The vulnerability was discovered and responsibly reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange from CODE WHITE GmbH. Microsoft initially addressed the flaw during its October Patch Tuesday 2025 update but later discovered that the first patch did not completely fix the issue. As a result, the company issued an out-of-band (OOB) update on Thursday to ensure full protection.
In a detailed analysis shared by Batuhan Er from HawkTrace Security, the attack begins when a remote, unauthenticated attacker sends a specially crafted request to a vulnerable WSUS server. This request abuses a “legacy serialization mechanism,” causing unsafe object deserialization that leads to remote code execution (RCE).
Once the code executes, attackers can run commands using cmd.exe or PowerShell, download malicious payloads, and even exfiltrate sensitive data. One of the observed attacks used a Base64-encoded .NET payload that fetched commands from a request header named “aaaa,” cleverly hiding them from system logs.
The Dutch National Cyber Security Centre (NCSC-NL) confirmed that CVE-2025-59287 is being actively exploited. According to a report by Eye Security, attacks were first observed around October 24, 2025, when hackers targeted a WSUS server belonging to one of their customers.
Eye Security’s CTO Piet Kerkhofs explained that attackers were using custom request headers to execute commands silently, making detection difficult. He added that the proof-of-concept (PoC) exploit, released just two days earlier by HawkTrace, provided attackers with everything they needed to start exploiting the vulnerability.
Cybersecurity company Huntress also confirmed spotting malicious activity targeting publicly exposed WSUS servers on TCP ports 8530 and 8531 as early as October 23, 2025. These attacks involved sending multiple POST requests to WSUS web services, triggering the deserialization vulnerability and eventually executing PowerShell payloads that collected user and network data for exfiltration.
Microsoft’s out-of-band update addresses the vulnerability across multiple versions of Windows Server, including:
-
Windows Server 2012 and 2012 R2
-
Windows Server 2016
-
Windows Server 2019
-
Windows Server 2022 (including 23H2 Server Core)
-
Windows Server 2025
After installing the patch, administrators must reboot the server for the update to take effect.
For those unable to apply the update immediately, Microsoft recommends temporary mitigations to minimize risk:
-
Disable the WSUS Server Role if it’s not actively required.
-
Block inbound traffic to ports 8530 and 8531 using the host firewall.
Microsoft also emphasized not to revert these workarounds until after installing the latest update.
In a statement, Microsoft confirmed that it re-released the CVE after realizing the earlier patch was incomplete. The company reassured that systems with the latest update are fully protected. It also clarified that the issue does not affect servers that do not have the WSUS Server Role enabled.
Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-59287 to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies and critical infrastructure operators have been directed to patch affected systems by November 14, 2025.
The CVE-2025-59287 vulnerability is particularly dangerous because WSUS servers often have administrative privileges and access to critical parts of enterprise networks. Successful exploitation could allow attackers to push malicious updates, move laterally across systems, and compromise entire networks.
The public availability of a working proof-of-concept combined with confirmed in-the-wild attacks means this is not a theoretical risk — it’s an active, ongoing threat.
Organizations running WSUS must prioritize installing the latest Microsoft patch immediately. Delaying the update could expose networks to severe attacks, data theft, and full system compromise.
Security experts strongly recommend performing a full network audit, ensuring WSUS is not exposed to the internet, and monitoring logs for suspicious PowerShell or cmd.exe activity.
As with any critical vulnerability, timely patching and proactive security monitoring remain the best defense.
Interesting Article : CISA Warns of Actively Exploited Adobe AEM Vulnerability (CVE-2025-54253)
Pingback: Hackers Exploit YouTube: Massive Ghost Network Spreads Malware Through Popular Videos