Active Attacks Exploit Critical WSUS Flaw in Windows Server
▼ Summary
– Attackers are actively exploiting CVE-2025-59287, a critical Windows Server Update Service (WSUS) vulnerability with publicly available proof-of-concept exploit code.
– This remote code execution flaw affects Windows servers with the WSUS Server role enabled as an update source and can be exploited without privileges or user interaction.
– Microsoft has released emergency security updates for all impacted Windows Server versions and provided workarounds like disabling the WSUS Server role.
– Multiple cybersecurity firms have confirmed active exploitation, with attacks involving reconnaissance commands and compromised systems observed since October 23-24, 2025.
– While exploitation is expected to be limited due to WSUS servers rarely being exposed online, the availability of public exploit code increases the risk of attacks.
Organizations relying on Windows Server Update Services now face immediate danger from actively exploited critical vulnerabilities requiring emergency patching. Security researchers confirm malicious actors are leveraging CVE-2025-59287, a remote code execution flaw enabling complete system takeover through WSUS servers configured as update sources for other servers within enterprise networks.
This security gap specifically impacts Windows servers where administrators enabled the WSUS Server role for internal update distribution, a configuration not activated by default. Attackers can weaponize this vulnerability through straightforward network attacks demanding neither special privileges nor user interaction. Successful exploitation grants SYSTEM-level permissions, potentially enabling self-propagating malware between interconnected WSUS servers.
Microsoft responded with urgent out-of-band security updates covering all affected Windows Server versions. The company strongly recommends immediate installation of these patches:
Windows Server 2025 (KB5070881) Windows Server, version 23H2 (KB5070879) Windows Server 2022 (KB5070884) Windows Server 2019 (KB5070883) Windows Server 2016 (KB5070882) Windows Server 2012 R2 (KB5070886) Windows Server 2012 (KB5070887)
For organizations unable to immediately deploy these emergency fixes, Microsoft suggests temporarily disabling the WSUS Server role on vulnerable systems to eliminate the attack pathway entirely.
The threat escalated significantly when HawkTrace Security published proof-of-concept exploit code over the weekend, though their version doesn’t permit arbitrary command execution. Meanwhile, Dutch cybersecurity firm Eye Security reported actual compromise incidents occurring since Thursday morning, involving different exploitation methods than those publicly documented.
While WSUS servers typically remain within internal networks, Eye Security’s global scan identified approximately 2,500 internet-exposed instances, including 250 in Germany and 100 in the Netherlands. American cybersecurity company Huntress corroborated these findings, noting attacks targeting WSUS systems with default ports (8530/TCP and 8531/TCP) accessible from the internet.
Huntress researchers observed attackers executing PowerShell commands to map internal Windows domains, with stolen data including user account information, network configurations, and identity details transmitted to external webhooks. The company noted limited exposure across their partner network, with only about 25 susceptible hosts detected.
The Netherlands National Cyber Security Centre validated both companies’ findings, warning that publicly available exploit code substantially increases attack risks. Microsoft has flagged CVE-2025-59287 as “Exploitation More Likely” though hasn’t officially confirmed active attacks in their security advisory.
(Source: Bleeping Computer)
