Urgent: Actively Exploited WSUS Bug Now on CISA KEV List
▼ Summary
– A critical vulnerability (CVE-2025-59287) in Windows Server Update Services allows unauthenticated remote code execution with system privileges.
– Microsoft released an emergency out-of-band patch after observing active exploitation of the vulnerability targeting default WSUS ports.
– The US CISA added this vulnerability to its Known Exploited Vulnerabilities catalog, requiring federal agencies to patch by November 14 due to significant risks.
– A compromised WSUS server could distribute malicious updates across entire networks, making this particularly dangerous for large enterprises.
– Organizations should immediately patch or restrict network access to WSUS by blocking inbound traffic on TCP ports 8530 and 8531.
Organizations are being urged to immediately address a newly identified critical security flaw within Windows Server Update Services (WSUS), which is now under active exploitation by threat actors. Microsoft released an emergency patch for this vulnerability last Thursday, coinciding with security researchers at Huntress observing attacks targeting WSUS servers accessible via the default ports 8530 and 8531.
Identified as CVE-2025-59287, this flaw is classified as a deserialization of untrusted data vulnerability within WSUS. According to security firm HawkTrace, the issue permits an unauthenticated attacker to execute remote code with system-level privileges. This is accomplished by sending specially crafted malicious encrypted cookies to the GetCookie() endpoint. Notably, exploiting this vulnerability does not require any user interaction or pre-existing privileges.
The urgency surrounding this issue was further amplified when the US Cybersecurity and Infrastructure Security Agency (CISA) added the CVE to its Known Exploited Vulnerabilities catalog last Friday. The agency emphasized that the flaw presents significant risks to federal systems, mandating that all affected agencies apply the patch by November 14.
While WSUS is not enabled by default, it is a widely adopted tool that allows IT teams to manage and deploy Microsoft updates across an entire network from a central server. This central role is precisely what makes the vulnerability so dangerous. Patrick Münch, CISO at Mondoo, highlighted the severe implications, stating that a compromised WSUS server could be weaponized to push malicious updates to every connected client computer within an organization. He stressed that the combination of unauthenticated remote code execution and active in-the-wild exploitation makes patching this flaw a critical priority for all enterprises.
Huntress strongly recommends that all Windows Server customers apply the available patch without delay. For organizations that cannot patch immediately, an effective temporary mitigation involves isolating network access to the WSUS servers. It is advised to ensure that only explicitly required management hosts and Microsoft Update servers can communicate with the WSUS infrastructure. Furthermore, inbound traffic to TCP ports 8530 and 8531 should be blocked for all other connections to reduce the attack surface.
(Source: Info Security)
