Microsoft has issued a second update for a critical remote code execution vulnerability in Windows Server Update Services (WSUS). This patch is aimed at fully resolving the security risk after the initial fix proved insufficient, leaving systems vulnerable to active exploitation.
Scope of the Update
The vulnerability, identified as CVE-2025-59287, impacts WSUS on a range of Windows Server versions, including 2012, 2016, 2019, 2022, and 2025. It results from unsafe deserialization of AuthorizationCookie data, allowing unauthenticated individuals to execute remote code at a SYSTEM level.
Reportedly, malicious actors have been exploiting the vulnerability by sending crafted cookies to the GetCookie() endpoint. This severe risk prompted urgent actions from security agencies.
Security Advisories and Mitigations
Multiple security firms, including HawkTrace, Eye Security, and Huntress, confirmed active exploitation of the bug. Eye Security reported roughly 2,500 WSUS servers as exposed globally, while Huntress detected attacks targeting default WSUS ports 8530 and 8531.
Organizations such as CISA and the Dutch NCSC have issued advisories urging immediate application of the update, released out-of-band on 2023-10-23, and a reboot of affected servers. They recommend these actions to mitigate risks while the update is applied:
- Disable the WSUS Server Role.
- Block inbound traffic to ports 8530/8531.
These mitigations should remain in place until the update is fully installed to ensure system security.
Conclusion
Administrators are strongly advised to apply the latest WSUS update and follow mitigation steps to secure their systems promptly. Microsoft’s rapid response underscores the need for vigilant application of security patches to prevent unauthorized access and potential damage.
