Urgent Microsoft WSUS Flaw Actively Exploited After Patch
▼ Summary
– Microsoft released emergency security updates for a critical WSUS vulnerability (CVE-2025-59287) that is actively exploited and allows remote code execution.
– The flaw involves unsafe deserialization of data in WSUS, enabling unauthenticated attackers to run code with SYSTEM privileges on affected servers.
– Only Windows servers with the WSUS Server Role enabled are vulnerable, and temporary protections include disabling the role or blocking ports 8530/8531.
– Exploitation was observed in the wild starting October 23-24, 2025, using crafted requests to deploy payloads like .NET executables and PowerShell scripts.
– The vulnerability was added to CISA’s Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by November 14, 2025.
A critical security vulnerability within Microsoft’s Windows Server Update Services (WSUS) is now being actively exploited, prompting the company to issue an urgent, out-of-band patch. This flaw, identified as CVE-2025-59287, carries a severe CVSS score of 9.8 and enables remote code execution on affected servers. The issue was initially addressed in last week’s standard Patch Tuesday release, but Microsoft discovered the fix was incomplete, necessitating this emergency update.
Security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange of CODE WHITE GmbH are credited with discovering the vulnerability. The problem stems from the unsafe deserialization of untrusted data in WSUS. Specifically, an unauthenticated attacker can send a maliciously crafted event that triggers the unsafe deserialization of AuthorizationCookie objects. This process occurs through a legacy mechanism involving BinaryFormatter, which Microsoft has long advised developers to avoid due to its inherent security risks. The successful exploitation allows an attacker to run arbitrary code with the highest SYSTEM privileges on the server.
This vulnerability exclusively impacts Windows servers that have the WSUS Server Role enabled. Servers without this role are not at risk. In a typical attack scenario, a remote attacker sends a specially crafted request to the WSUS service, leading to remote code execution without requiring any form of authentication.
According to Batuhan Er, a security researcher at HawkTrace, the flaw is rooted in the `GetCookie()` endpoint. Encrypted cookie data is decrypted using AES-128-CBC and then deserialized via BinaryFormatter. The absence of proper type validation during this deserialization creates the opening for attackers to execute code. Microsoft had previously removed BinaryFormatter implementations from .NET 9 in August 2024, highlighting the known dangers of this method.
Microsoft’s out-of-band update is available for several supported Windows Server versions, including Windows Server 2012, 2012 R2, 2016, 2019, 2022, and the 2025 Server Core installation. After installing the patch, a system reboot is mandatory for the protection to become active. For administrators who cannot immediately apply the update, Microsoft suggests two temporary workarounds: disabling the WSUS Server Role entirely or blocking inbound traffic on ports 8530 and 8531 using the host firewall. The company strongly warns against reversing these measures until after the official security update has been successfully installed.
Evidence of active exploitation is mounting. The Dutch National Cyber Security Centre (NCSC) received a report from a trusted partner that abuse of this vulnerability was observed on October 24, 2025. Eye Security, the firm that alerted the NCSC, first witnessed the exploit in action at 06:55 UTC, used to deploy a Base64-encoded .NET executable on a customer’s system. Piet Kerkhofs, CTO of Eye Security, explained that the payload takes a value from a request header named ‘aaaa’ and executes it directly via `cmd.exe`, a technique that helps malicious commands evade detection in server logs.
Kerkhofs also noted that a proof-of-concept exploit from HawkTrace became publicly available two days prior, confirming that attackers had all the necessary components to begin their campaigns. The cybersecurity firm Huntress corroborated these findings, reporting that it detected threat actors targeting publicly exposed WSUS instances on the default ports 8530 and 8531 starting around October 23, 2025. The exploitation has been observed to cause the WSUS worker process to launch `cmd.exe` and PowerShell, which then downloads and runs a Base64-encoded PowerShell script. This script is designed to scan the compromised network for server, user, and system information, sending the stolen data to an attacker-controlled webhook.site URL.
A Microsoft spokesperson confirmed that the company re-released the CVE after determining the initial update did not completely resolve the issue. They assured that customers who have installed the latest updates are protected and reiterated that servers without the WSUS role remain unaffected.
Due to the public availability of a functional proof-of-concept and confirmed attacks in the wild, applying this patch is critically important. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has formally added CVE-2025-59287 to its Known Exploited Vulnerabilities catalog, mandating all federal civilian executive branch agencies to patch their systems by November 14, 2025.
(Source: The Hacker News)
