Microsoft Fixes Critical WSUS Flaw Under Active Attack
▼ Summary
– Microsoft released an emergency security update addressing CVE-2025-59287, a critical remote code execution vulnerability in Windows Server Update Services (WSUS) that is actively being exploited.
– This vulnerability allows unauthorized attackers to execute code on vulnerable WSUS servers without user interaction by sending specially crafted events, potentially enabling worm-like spread between servers.
– The flaw only affects Windows Server machines with the WSUS Server role enabled, and exploitation requires internal network access or firewall misconfiguration since WSUS should operate behind a firewall.
– Proof-of-concept exploit code has been published, and multiple security organizations have confirmed active exploitation, with attacks involving reconnaissance and data extraction to remote servers.
– Administrators must apply the cumulative out-of-band update immediately, temporarily disable WSUS, or block ports 8530/8531 if patching isn’t possible, as CISA has added it to its Known Exploited Vulnerabilities catalog.
Microsoft has issued an emergency security patch for a critical remote code execution vulnerability in Windows Server Update Services, identified as CVE-2025-59287. This flaw is already being actively exploited, making immediate action essential for network administrators. The vulnerability allows unauthorized attackers to run arbitrary code on affected servers without requiring any user interaction.
Windows Server Update Services, or WSUS, provides organizations with a centralized method for managing and deploying Microsoft updates across their networks. Rather than having each computer connect directly to Microsoft’s servers, WSUS downloads updates once and distributes them internally. This setup improves efficiency but also creates a high-value target for attackers.
The security weakness stems from improper deserialization of untrusted data. An attacker can trigger the vulnerability by sending a specifically crafted event to a WSUS server. Only Windows Server systems with the WSUS Server role enabled are at risk, and this role is not enabled by default. Microsoft initially provided a fix in the October 2025 Patch Tuesday release, but the company has now determined that a more comprehensive update was necessary.
According to threat intelligence experts, the vulnerability is wormable, meaning it could spread automatically between vulnerable WSUS servers. Dustin Childs of Trend Micro’s Zero Day Initiative stressed the importance of rapid patching, noting that WSUS servers represent a particularly attractive target for attackers.
In a properly configured network, WSUS should operate behind a firewall, which would prevent direct internet-based exploitation. However, as highlighted by Germany’s Federal Office for Information Security, if an attacker gains a foothold inside the network or if perimeter defenses are misconfigured, the flaw could be leveraged to take full control of the WSUS server. A compromised server could then be used to distribute malicious updates to all connected client devices.
The urgency for applying this patch increased significantly after a security researcher published a technical analysis and proof-of-concept exploit code earlier this week. The Dutch National Cyber Security Centre also confirmed that exploitation of CVE-2025-59287 was observed in the wild on October 24, 2025.
Microsoft’s out-of-band update is available for all supported Windows Server versions and requires a system reboot after installation. If applying the update immediately is not possible, administrators can temporarily disable the WSUS server role or block inbound traffic on ports 8530 and 8531 using the host firewall. Be aware that this will prevent client devices from receiving updates from the server.
This latest release is a cumulative update, meaning it includes all previous fixes. Microsoft recommends that organizations which have not yet installed the October 2025 security updates apply this emergency patch directly.
In a recent development, the U.S. Cybersecurity and Infrastructure Security Agency added CVE-2025-59287 to its Known Exploited Vulnerabilities catalog. Federal civilian agencies have been directed to mitigate the issue by November 14, 2025.
Dutch cybersecurity firm Eye Security reported identifying the first successful exploit attempts on the morning of October 25. According to the company, the attack method they observed differed significantly from the public proof-of-concept, suggesting the involvement of a sophisticated threat actor. Eye Security’s CTO, Piet Kerkhofs, indicated the exploit’s complexity points toward a state-sponsored group or an advanced ransomware operation.
The company has shared relevant indicators of compromise. Separately, Huntress Labs detected attacks beginning around October 23, where adversaries performed reconnaissance, such as identifying logged-in users and enumerating Active Directory accounts, before executing remote code via specially crafted POST requests to WSUS web services.
Huntress reported that exploitation involved spawning Command Prompt and PowerShell processes, decoding and executing a base64-encoded payload, and exfiltrating sensitive network information to a remote server. While only four of their customers were impacted, Huntress estimates that around 25 hosts across their partner base were susceptible due to exposed WSUS ports.
Eye Security identified roughly 8,000 internet-facing servers with ports 8530 or 8531 open, though it remains unclear how many were actually vulnerable. Given the recent release of the emergency patch, it is likely that many susceptible servers have not yet been updated.
(Source: HelpNet Security)
