Microsoft Silent as Hackers Exploit WSUS Server Bug
▼ Summary
– A critical Windows Server vulnerability (CVE-2025-59287) with a 9.8 CVSS score is being actively exploited, allowing unauthenticated attackers to execute arbitrary code via insecure deserialization.
– Microsoft issued an emergency patch after the initial October 14 fix was incomplete, but security researchers have demonstrated that the update can still be bypassed to push malicious updates to clients.
– US and Dutch cybersecurity agencies have issued alerts, with CISA adding the vulnerability to its Known Exploited Vulnerabilities catalog due to ongoing exploitation.
– Private security firms observed attackers exploiting the flaw starting October 23, using it to run commands, scan for sensitive data, and exfiltrate information via proxy networks.
– Security experts warn that any unpatched WSUS instance exposed to the internet has likely been compromised, with thousands of vulnerable instances observed including high-value targets.
A critical security flaw within Microsoft Windows Server Update Services (WSUS) is now under active attack, with governments and cybersecurity firms confirming active exploitation of the vulnerability. This development follows Microsoft’s release of an emergency patch intended to resolve the issue, which carries a maximum severity rating of 9.8 out of 10. The situation is compounded by the existence of at least one functional proof-of-concept attack, enabling threat actors to seize complete control of vulnerable systems with a single, carefully crafted request.
The vulnerability, identified as CVE-2025-59287, impacts Windows Server versions from 2012 through 2025. The security weakness originates from the insecure deserialization of untrusted data, permitting unauthenticated attackers to run any code they choose on affected servers. It is crucial to note that systems without the WSUS role enabled remain safe from this particular threat. Microsoft first attempted to fix the problem with a Patch Tuesday release on October 14th, but that initial update proved incomplete, forcing the company to issue an emergency out-of-band patch later in the week.
However, questions have emerged regarding the effectiveness of this second patch. Security researcher Kevin Beaumont reported successfully bypassing the emergency fix in a lab environment. After achieving remote code execution, he demonstrated the ability to manipulate the updates delivered to client machines, potentially pushing malicious payloads. He cautioned against revealing excessive technical details to avoid empowering ransomware gangs but noted that adapting prior research to create fake client updates is a straightforward process. He further explained that an attacker could set a deadline for their malicious update within WSUS, forcing all connected clients to install it simultaneously at a specified time.
In response to the escalating threat, the US Cybersecurity and Infrastructure Security Agency (CISA) officially added CVE-2025-59287 to its Known Exploited Vulnerabilities catalog. The Dutch National Cybersecurity Center has also reportedly issued its own alert concerning observed exploitation activities.
Microsoft has remained silent on specific questions about the ongoing attacks. At the time of reporting, the company’s official security update for CVE-2025-59287 still listed the bug as not being exploited in the wild, a status many expect will be updated imminently. A Microsoft spokesperson stated, “We re-released this CVE after identifying that the initial update did not fully mitigate the issue. Customers who have installed the latest updates are already protected.”
Meanwhile, private security companies have provided concrete evidence of the flaw being abused. Researchers at Huntress documented that threat actors began targeting publicly exposed WSUS instances on their default ports (8530/TCP and 8531/TCP) starting around October 23rd. The observed attack chain involved using the HTTP worker process and the WSUS service binary to launch Command Prompt and PowerShell. The attackers then used PowerShell to scan compromised servers for sensitive network and user information, exfiltrating the collected data through a remote webhook. The use of proxy networks in these attacks made detection more challenging.
The Huntress team noted they observed fewer than 25 susceptible hosts, suggesting that because WSUS ports are not commonly exposed to the internet, widespread exploitation of CVE-2025-59287 may be limited.
WatchTowr CEO Benjamin Harris offered a contrasting perspective on the potential scale of the problem, coupled with a stark warning for any organization with a publicly accessible WSUS server. “Exploitation of this flaw is indiscriminate. If an unpatched WSUS instance is online, at this stage it has likely already been compromised,” he asserted. He emphasized that there is no legitimate reason in 2025 to have a WSUS server accessible from the public internet, and any organization in that position likely requires guidance to understand how such a misconfiguration occurred. His firm has observed over 8,000 exposed instances, including within extremely sensitive and high-value organizations that are prime targets for cyber attackers.
(Source: The Register)
