Published on October 24, 2025
Critical Microsoft WSUS Vulnerability Actively Exploited Following Patch Release
Severity
Critical
Microsoft released an out-of-band update to fix a critical remote code execution vulnerability in Windows Server Update Services (WSUS), identified as CVE-2025-59287 (CVSS 9.8). The flaw is currently under active exploitation, with a public proof-of-concept (PoC) available.
| CVE Number | Description | CVSS Score (Severity) |
| CVE-2025-59287 | Windows Server Update Service (WSUS) Remote Code Execution Vulnerability Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network. | 9.8 (Critical) |
The vulnerability, discovered by researchers from CODE WHITE GmbH, results from unsafe deserialization of untrusted data within WSUS. Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code with SYSTEM-level privileges by sending crafted requests to the affected service.
The issue specifically involves the GetCookie() endpoint, which decrypts and deserializes AuthorizationCookie objects without proper validation. This unsafe process enables attackers to trigger malicious payload execution remotely.
According to Microsoft, the WSUS Server Role is not enabled by default on Windows servers. Systems without this role are not affected by the vulnerability. However, if WSUS is enabled before the security fix is applied, the server becomes exposed to potential exploitation.
Affected Products
This vulnerability affects the following supported Windows Server versions:
- Windows Server 2025 (KB5070881)
- Windows Server, version 23H2 (KB5070879)
- Windows Server 2022 (KB5070884)
- Windows Server 2019 (KB5070883)
- Windows Server 2016 (KB5070882)
- Windows Server 2012 R2 (KB5070886)
- Windows Server 2012 (KB5070887)
Recommendation
To fully remediate CVE-2025-59287, Microsoft has issued an out-of-band security update for all supported Windows Server versions, including 2012, 2012 R2, 2016, 2019, 2022, 2022 (23H2 Server Core), and 2025, as stated in Microsoft’s advisory. A system reboot is required after installation to ensure the update is properly applied.
Microsoft has listed temporary workarounds for environments unable to apply update immediately. The company advises disabling the WSUS Server Role or blocking inbound traffic to ports 8530 and 8531 at the host firewall to prevent potential exploitation. However, these actions will render WSUS non-operational and should only remain in place until the official security update is installed.
Microsoft also cautioned administrators not to revert either workaround until the official security update has been successfully installed.
Source
https://thehackernews.com/2025/10/microsoft-issues-emergency-patch-for.html
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287