What happened?
Microsoft has issued emergency security updates to address a high-risk vulnerability in Windows Server Update Service (WSUS), for which proof-of-concept exploit code has been made publicly accessible, further emphasising the urgent need to update any affected servers without delay.
The vulnerability, tracked as CVE-2025-59287, has a CVSS score of 9.8 and allows remote code execution (RCE) on targeted devices. It's important to note, however, that this security flaw only affected Windows servers with the WSUS server role enabled - a feature that isn't enabled by default.
Benjamin Harris of watchTowr stated, "There is now widespread exploitation of the pre-authentication remote code execution vulnerability in Microsoft's WSUS service, and any unpatched WSUS instance exposed online has likely already been compromised. In 2025, there is no valid reason for WSUS to be accessible from the Internet, and organisations in this position should seek guidance to address the issue."
So what?
WSUS is a Microsoft product that enables IT administrators to manage and deliver Windows updates to computers within their network.
The vulnerability can be exploited remotely in low-complexity attacks that crucially do not require user interaction, allowing threat actors without privileges to target vulnerable systems and run malicious code with SYSTEM privileges. In a hypothetical attack scenario, a remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialisation in a "legacy serialisation mechanism," leading to remote code execution.
The issue relates to the deserialization of untrusted data within WSUS, specifically due to insecure handling of AuthorizationCookie objects received by the GetCookie() endpoint. Here, encrypted cookie information is decrypted using AES-128-CBC and then deserialised via BinaryFormatter without adequate type checking, which can result in remote code execution with SYSTEM-level access. As a consequence, an unauthorised attacker could run code remotely across the network, potentially allowing the vulnerability to spread between WSUS servers.
Eye Security, who initially alerted the Dutch branch of the National Cyber Security Centre (NCSC) to the active exploitation on 24 October, reported that the vulnerability was first seen being used to deliver a Base64-encoded payload aimed at an undisclosed client.
What should I do?
To comprehensively address this vulnerability, it is important to follow guidance provided by Microsoft on the CVE page1 and apply the aforementioned out-of-band security update as a priority. This patch is currently available for the following supported versions of Windows Server:
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2022 23H2 Edition (Server Core installation)
- Windows Server 2025
Microsoft also shared workarounds for admins who can't immediately install these emergency patches; these solutions involve either disabling the WSUS Server Role to remove the primary attack vector, or blocking all inbound traffic to Ports 8530 and 8531 on the host firewall to render WSUS non-operational. It is, however, important to note that Windows endpoints will stop receiving updates from the local server after WSUS is disabled or the traffic is blocked.