A proof-of-concept exploit has emerged for a critical vulnerability in Microsoft Windows Server Update Services (WSUS), potentially enabling remote code execution with SYSTEM privileges. The vulnerability is designated CVE-2025-59287, affecting Windows Server versions from 2012 to 2025, and has been assigned a CVSS v3.1 score of 9.8.
Vulnerability Details and Risks
The flaw arises from unsafe deserialization of data in WSUS's AuthorizationCookie handling, specifically within the GetCookie() endpoint. The issue enables crafted payloads to execute arbitrary code due to inadequate validation during cookie processing. The vulnerability is exploited via a SOAP envelope request with a tampered AuthorizationCookie, leveraging AES-128-CBC encryption.
Microsoft has classified the vulnerability as "Exploitation More Likely," highlighting the risk across networked WSUS servers. The company warns of the potential for "wormable" exploits due to the vulnerability's nature.
Mitigation and Recommendations
Microsoft's October 2025 Patch Tuesday includes crucial patches addressing this flaw. Organizations are urged to apply these updates without delay, isolate WSUS servers, and implement stringent firewall rules. Additionally, transitioning from BinaryFormatter to safer serializers like JSON or XML with strict validation is recommended.
The appearance of a public PoC by researcher hawktrace on GitHub demonstrates potential command execution, emphasizing the urgency of protective measures. While no active exploitation is yet reported, the available PoC signals elevated risk.
