Microsoft has released urgent patches for a critical vulnerability (CVE-2025-59287) in Windows Server Update Services (WSUS) impacting Windows Server versions 2012 through 2025. The flaw, resulting from insecure deserialization of data, exposes servers to remote code execution threats.
Vulnerability Details and Exploitation
The vulnerability allows unauthenticated attackers to execute arbitrary code, compromising WSUS servers. Security researcher Kevin Beaumont successfully demonstrated the exploit, highlighting the risk of tampered updates being pushed to clients. While Microsoft issued an initial patch on 2023-10-14, further mitigation was required, leading to an out-of-band patch.
The US CISA has added this vulnerability to its catalog of known exploits, while the Dutch National Cybersecurity Center has reported exploitation activity. Security firms Huntress and WatchTowr noted attacks beginning around 2023-10-23, primarily targeting WSUS instances on default ports 8530/8531.
Advisory and Risk Assessment
Attackers have used this vulnerability to execute commands, harvest information, and exfiltrate data through proxy networks. According to Huntress, fewer than 25 susceptible hosts were publicly exposed, but WatchTowr identified over 8,000 potentially vulnerable instances, including those within high-value organizations.
Microsoft has assured that customers using the latest updates are protected and urges administrators to apply these patches immediately. It is also recommended to avoid exposing WSUS servers to the public internet to mitigate risk further.
Mitigation and Recommendations
Administrators are advised to implement the latest security patches as a priority measure. Complementary to this, companies should assess network exposure and secure WSUS deployments to prevent exploitation.
- The critical WSUS vulnerability was identified by CVE-2025-59287 as a deserialization issue.
- Microsoft's patch was initially released on 2023-10-14, with further mitigation issued as an out-of-band patch.
- Exploitation was first noted around 2023-10-23, targeting default ports 8530/8531.
- Huntress reported less than 25 exposed vulnerable hosts.
- More than 8,000 instances are at risk according to WatchTowr.
