Vulnerability Management, Patch/Configuration Management, Exposure management

Critical WSUS RCE flaw targeted by attackers after patch

A critical remote code execution vulnerability in Windows Server Update Services (WSUS) is being exploited in the wild after an out-of-band patch for the flaw was released Thursday, according to Huntress.  

The vulnerability, tracked as CVE-2025-59287, has a CVSS score of 9.8 and stems from the deserialization of untrusted data in WSUS. WSUS provides a centralized service for IT administrators to distribute Windows updates to devices throughout an organization.

Information about CVE-2025-59287 was first published on Oct. 14, 2025, and an out-of-bound update to patch the flaw was released Oct. 23, following the publication of a proof-of-concept exploit (PoC) exploit by Hawktrace on Oct. 21.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned organizations in a Friday, Oct. 24 alert to immediately patch CVE-2025-59287 affecting Windows Server Update Services (WSUS). CISA also added the flaw to its Known Exploited Vulnerability (KEV) catalog Friday.

Hawktrace found that the flaw is specifically due to unsafe deserialization of AuthorizationCookie objects that are received by the GetCookie() endpoint. This endpoint decrypts encrypted cookies using AES-128-CBC, and then deserializes them using BinaryFormatter without proper type validation, the Hawktrace researchers said.

Exploiting this flaw using a crafted request to an internet-exposed endpoint could allow an unauthenticated attacker to achieve RCE with system privileges on a vulnerable WSUS instance.

Following the release of the patch for CVE-2025-59287, Huntress observed attackers sending crafted POST requests to WSUS web services that were publicly exposed on ports 8530/TCP and 8531/TCP to trigger the deserialization flaw.

The attackers, who used proxy networks to conduct their attacks, leveraged the flaw to spawn command prompt and PowerShell processes and execute base64-encoded PowerShell payloads. These malicious commands collected sensitive network and user information from the targeted servers and extracted this data to a remote webhook, according to Huntress.

Huntress said this activity affected four of its customers but noted that exploitability is likely limited, as WSUS is not commonly exposed on ports 8530 and 8531. The company found only 25 instances exposed this way across its partner base.

Microsoft recommends customers patch their systems as soon as possible to prevent exploitation; the patch will be installed automatically through Windows Update and Microsoft Update for customers with automatic updates enabled — the patch can also be installed manually from the Microsoft Update Catalog.

The patch is available for Windows Server versions 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2 Edition and 2025.

Windows servers that do not have the WSUS server role enabled are not affected by the flaw and disabling the WSUS server role can mitigate the vulnerability, although clients will not be able to receive updates while WSUS is disabled.

Customers who cannot immediately update can also mitigate by blocking inbound traffic to ports 8530 and 8531, which will also render WSUS non-operational.

In general, it is recommended to block any inbound traffic to ports 8530 and 8531 from sources other than management hosts and Microsoft Update servers in order to prevent remote attacks, Huntress noted.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds