Microsoft has released an urgent out-of-band security update to address a critical vulnerability in Windows Server Update Services (WSUS). This flaw, identified as CVE-2025-59287, has a high CVSS score of 9.8 and is being actively exploited, with a publicly available proof-of-concept (PoC) already circulating.
The vulnerability is a remote code execution (RCE) issue affecting WSUS servers and was initially patched in last week’s Patch Tuesday update. Researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange from CODE WHITE GmbH reported the flaw.
CVE-2025-59287 arises due to unsafe deserialization of untrusted data in WSUS. In practice, an unauthenticated attacker could send a specially crafted event that triggers insecure object deserialization through a legacy serialization mechanism, potentially allowing remote code execution.
HawkTrace researcher Batuhan Er explained that the flaw involves deserialization of AuthorizationCookie objects sent to the GetCookie() endpoint. The encrypted cookie is decrypted using AES-128-CBC and deserialized via BinaryFormatter without proper type validation. This enables execution of code with SYSTEM privileges. Notably, Microsoft has long advised against using BinaryFormatter for untrusted input, and it was removed from .NET 9 in August 2024.
To address the vulnerability, Microsoft has released an out-of-band patch for supported Windows Server versions, including 2012, 2012 R2, 2016, 2019, 2022, 23H2 Edition (Server Core), and Windows Server 2025. Following installation, a system reboot is required.
For servers where the patch cannot be applied immediately, Microsoft recommends the following temporary mitigations:
- Disable the WSUS Server Role (if enabled)
- Block inbound traffic on ports 8530 and 8531
These measures should remain in place until the update is installed.
The Dutch National Cyber Security Centre (NCSC) reported observing exploitation of CVE-2025-59287 on October 24, 2025, after Eye Security notified them. The attack involved a Base64-encoded .NET payload that reads the value of a custom ‘aaaa’ request header and executes it using cmd.exe, avoiding direct command logging.
Microsoft confirmed that the re-released update fully addresses the vulnerability and reassured users that servers without the WSUS Server Role are not affected. The U.S. CISA has added CVE-2025-59287 to its Known Exploited Vulnerabilities catalog, mandating remediation by November 14, 2025.
