A critical Windows Server vulnerability is under active attack, prompting an emergency response from Microsoft and urgent mitigation efforts by U.S. federal agencies.
Quick Summary – TLDR:
- CVE-2025-59287 is a critical flaw in Windows Server Update Services (WSUS) allowing remote code execution with SYSTEM privileges.
- Microsoft released an out-of-band emergency patch after initial fixes were found incomplete.
- Active exploitation confirmed with attackers using proxy networks to run malicious PowerShell commands.
- CISA mandates all federal agencies patch vulnerable systems by November 14.
What Happened?
A severe security vulnerability in WSUS, tracked as CVE-2025-59287, has been added to the CISA Known Exploited Vulnerabilities catalog after confirmed attacks in the wild. Microsoft issued an emergency patch following a proof-of-concept release and evidence that hackers were exploiting servers with exposed WSUS ports.
Attention – Microsoft WSUS CVE-2025-59287 incidents! We are observing exploitation attempts based on a published POC. We have also began fingerprinting exposed WSUS instances (ports 8530/8531) with at least 2800 seen on 2025-10-25 (not necessarily vulnerable). pic.twitter.com/7UxvqXjYGH
— The Shadowserver Foundation (@Shadowserver) October 26, 2025
WSUS Vulnerability Leaves Windows Servers Exposed
The flaw affects Windows servers with the WSUS Server Role enabled, particularly those exposing default communication ports 8530 and 8531 to the internet. These configurations are not standard but are present in many enterprise environments that centralize update distribution.
The vulnerability stems from unsafe deserialization of AuthorizationCookie objects in the WSUS GetCookie() endpoint. According to HawkTrace researchers, the cookies are decrypted using AES-128-CBC and passed into .NET BinaryFormatter without proper type checking. This allows a crafted request to trigger remote code execution (RCE) with SYSTEM-level privileges, effectively granting full control of the server.
Microsoft initially attempted to fix the issue, but the patch was found to be incomplete, prompting a rare out-of-band update on October 23, 2025, outside its usual patch cycle. The updated fix covers Windows Server versions 2012 through 2025, including the 23H2 Edition.
Exploits Already Observed in the Wild
Cybersecurity firm Huntress reported that attackers began scanning and targeting WSUS servers shortly after the proof-of-concept exploit was made public. They observed malicious POST requests sent to exposed endpoints, spawning PowerShell processes and executing base64-encoded commands that harvested network and user data, exfiltrated through remote webhooks.
Despite WSUS not being commonly exposed publicly, Huntress found 25 exposed instances among its partners, and four customers were affected. Dutch firm Eye Security also saw active scanning and at least one confirmed compromise.
The Shadowserver Foundation reported over 2,800 WSUS instances with open ports online, though it’s unclear how many have been patched since.
Government Response and CISA Directives
On October 24, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) ordered all Federal Civilian Executive Branch (FCEB) agencies to patch CVE-2025-59287 by November 14 under Binding Operational Directive 22-01. While mandatory only for federal agencies, CISA urged all organizations to treat this as a top priority.
It strongly recommended disabling the WSUS role or blocking inbound traffic to affected ports if patching cannot be done immediately.
Mitigation Steps for Organizations
- Apply the October 23 update from the Microsoft Update Catalog or Windows Update.
- Reboot WSUS servers post-installation to activate the patch.
- If patching is delayed:
- Disable the WSUS Server Role
- Block inbound traffic to ports 8530 and 8531
- Maintain blocks until patching is complete and systems are verified.
Even though WSUS is not enabled by default, organizations using it for centralized patching are at heightened risk and must act swiftly.
SQ Magazine Takeaway
I cannot stress this enough. This is not one of those bugs you can afford to ignore. With proof-of-concept code public, active exploitation confirmed, and system-level access on the table, every hour counts. If you run a WSUS instance, especially one with open ports, this vulnerability could be your next cyber incident. Patch now or pull the plug on WSUS until you can. Skipping this could give attackers full control of your network before you know it.
