Microsoft WSUS Remote Code Execution Vulnerability (CVE-2025-59287) in active exploitation

On October 14, 2025, Microsoft attempted to patch a critical unauthenticated RCE in Windows Server Update Services (WSUS). The fix proved incomplete, and an out-of-band (OOB) update was released on October 23, 2025. Within hours, multiple firms observed active exploitation in the wild against Internet-exposed WSUS over TCP 8530/8531. CISA added the bug to the KEV catalog on October 24, 2025, and urged rapid remediation. Risk is severe: pre-auth RCE as SYSTEM on a central patching service enables lateral movement and potential internal supply-chain abuse.  

Vulnerability 

• ID / CVSS: CVE-2025-59287 (CVSS 9.8) — Remote Code Execution. 

• Root cause: Unsafe deserialization of untrusted input in WSUS. Researchers detail exploitation via the GetCookie() endpoint: attacker-supplied AuthorizationCookie data is decrypted (AES-128-CBC) and passed to BinaryFormatter/SoapFormatter without proper type validation → arbitrary code execution as SYSTEM 

Affected Scope 

• Windows Server: 2012, 2012 R2, 2016, 2019, 2022 (incl. 23H2 Core), and 2025. 

• Prerequisite: Only systems with WSUS role enabled are vulnerable 

Exploitation Status & TTPs 

Following the release of Microsoft’s out-of-band (OOB) update on October 23, 2025, security firms including Huntress, Unit 42, and the Shadowserver Foundation observed immediate and widespread activity targeting internet-facing WSUS instances. Thousands of exposed servers were identified globally, and active scanning was reported by multiple sources, including the Dutch NCSC. The exploitation began within hours of the patch release, underscoring how quickly threat actors weaponized the vulnerability once technical details and proof-of-concept code were publicly available. 

The likely method of ingress involves attackers sending crafted HTTP(S) POST requests to WSUS web services operating on the default ports 8530 and 8531. These requests trigger unsafe deserialization routines, leading to remote code execution on vulnerable systems. 

Forensic evidence from compromised systems shows a consistent process chain: wsusservice.exe or w3wp.exe spawning cmd.exe, followed by powershell.exe execution. The PowerShell payloads typically run reconnaissance commands such as whoami, net user /domain, and ipconfig /all, then exfiltrate results to remote endpoints—often hosted on legitimate services like webhook[.]site. 

A successful compromise of WSUS gives an attacker domain-wide reach and control. Because WSUS is responsible for distributing trusted software updates, a compromised server could push malicious updates across the enterprise, effectively turning a central patch-management system into a vector for internal supply-chain attacks. In addition, an internet-exposed WSUS instance magnifies the risk by allowing unauthenticated, remote exploitation without user interaction. 

Microsoft released an out-of-band update on October 23, 2025, addressing the vulnerability across all supported Windows Server versions. Organizations should install this patch immediately and reboot affected systems to ensure full remediation. 

If patching cannot be performed right away, Microsoft and CISA recommend temporary mitigations to remove the attack vector. These include disabling the WSUS role on affected servers and/or blocking inbound traffic to ports 8530 and 8531 on host and network firewalls. These mitigations should remain in place until the patch has been successfully applied and verified. 

What You Should Do (Prioritised) 

• Patch now: Deploy the Oct 23 OOB updates on all WSUS servers and reboot. Verify build numbers and that WSUS services restart cleanly.  
• Remove Internet exposure: Immediately block 8530/8531 from the Internet; WSUS should be internal-only. If exposed, treat as compromised until proven otherwise.  
• Hunt for activity since Oct 23 (UTC): 
• Query EDR for wsusservice.exe/w3wp.exe spawning cmd.exe/powershell.exe. 

• Grep IIS/WSUS logs for unusual POST requests and spikes to WSUS endpoints.  
• Check integrity of configuration: Diff applicationHost.config and site web.config for new modules/handlers/rewrite rules or paths to unusual DLLs/scripts. (WSUS + IIS). 
• Contain & triage (if suspicious findings): 
• Isolate WSUS host; capture disk + memory; export MFT/EVTX/IIS logs. 

• Review outbound connections from WSUS to unfamiliar domains (e.g., webhook services). 
• Hardening: 
• Keep WSUS off Internet, enforce network segmentation, and require authN on management paths. 

• Monitor for deserialization abuse patterns and disable legacy serializers where feasible in custom components  
• Compliance timeline: If you’re a U.S. federal contractor/agency, align with CISA KEV due date (Nov 14, 2025). 

 If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation.