Actively exploited in the wild and deemed critical with a CVSS score of 9.8, a newly disclosed remote code execution (RCE) vulnerability in Microsoft’s Windows Server Update Services (WSUS) has triggered urgent patching efforts across the globe. Tracked as CVE-2025-59287, the flaw affects Windows Server installations with the WSUS Server role enabled and allows unauthenticated attackers to execute code with SYSTEM-level privileges.
The vulnerability originates from unsafe deserialization within the handling of WSUS’s AuthorizationCookie. Public proof-of-concept (PoC) exploit code has already made its way online, and attackers are actively leveraging exposed WSUS endpoints to compromise systems. Microsoft initially released a patch on October 14, 2025, as part of Patch Tuesday but was forced to issue an emergency out-of-band update on October 23 after the original fix proved incomplete.
Severity of CVE-2025-59287 and Why It Demands Immediate Attention
The technical specifics of CVE-2025-59287 reveal a high-impact design flaw. The issue resides in how WSUS parses serialized AuthorizationCookie data in HTTP requests. WSUS servers can be coerced into deserializing untrusted input, leading to arbitrary code execution under the SYSTEM context.
CVE-2025-59287 Attack Vector and Impact Scope
The flaw can be exploited over the network without authentication or user interaction, contributing to its severity rating. According to Huntress and other security researchers, the exploitation process involves injection of serialized payloads through a vulnerable WSUS endpoint, particularly on ports 8530/TCP and 8531/TCP. These payloads spawn Command Prompt and PowerShell processes on the target server to execute base64-encoded scripts, which are often used to:
- Collect network configuration and user data
- Drop further malicious binaries
- Establish footholds in enterprise environments
While the vulnerability affects Windows Server versions from 2012 through 2025, its exploitation potential extends far beyond individual machines due to WSUS’s role as a centralized update distributor.
CVE-2025-59287 Public PoC Code and Active Exploitation
Security researchers at multiple organizations including Huntress, the Dutch National Cyber Security Centre, and independent analysts have confirmed in-the-wild exploitation. A public PoC was made available shortly after the October 14 patch, accelerating weaponization by threat actors. This PoC uses crafted AuthorizationCookies to invoke classes and methods during deserialization, achieving remote execution without triggering anomalies in routine WSUS workflows.
Kevin Beaumont, a well-known security researcher, observed successful exploitation even after the October 23 out-of-band update was applied, suggesting that real-world application of the patch may require careful validation.
“You can still achieve RCE post-patch in some scenarios,” Beaumont reported, underscoring the importance of verifying patch efficacy in real deployments.
Microsoft’s updated guidance remains unequivocal: WSUS administrators must install the October 23 update, ensure their systems are rebooted, and confirm that no external access is allowed to WSUS over ports 8530 or 8531.
Microsoft’s Patch Timeline and Administrator Guidance
Microsoft responded to the incomplete mitigation in the initial Patch Tuesday release (KB5066835) with a cumulative out-of-band patch (KB5070881) on October 23, 2025. This out-of-band fix comprehensively addresses the unsafe deserialization bug and includes all previous updates. The company explicitly recommends that administrators:
- Apply the October 23 patch via Windows Update, Microsoft Update, or the Update Catalog
- Ensure all WSUS servers are rebooted post-installation
- Confirm WSUS installations are isolated from external network access
- Temporarily disable the WSUS Server role or block inbound access to ports 8530 and 8531 if patching is delayed
Microsoft has also advised applying the principle of least privilege and network segmentation when configuring update infrastructure.
CVE-2025-59287 Exposure and Risk Landscape
The security community estimates about 2,500 WSUS instances are currently exposed online, with a notable concentration in countries such as Germany and the Netherlands. Given the centralized nature of WSUS and its integration into enterprise update workflows, a compromised WSUS server can propagate malicious updates across an entire Active Directory domain, magnifying the downstream impact.
In light of this, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-59287 to its Known Exploited Vulnerabilities Catalog. Organizations subject to CISA’s Binding Operational Directive 22-01 must apply available patches per compliance timelines.
Key Recommendations for Defenders
For defenders managing Windows Server environments, especially those with WSUS deployed, the following actions are strongly advised:
- Patch Immediately : Apply the October 23 cumulative update (KB5070881), which addresses the flawed deserialization code.
- Restrict Network Exposure : Block external access to WSUS ports 8530/TCP and 8531/TCP.
- Audit Server Roles : If patching is delayed, consider disabling the WSUS Server role till remediation is complete.
- Monitor Command and Script Execution : Look for PowerShell, cmd.exe, and base64-encoded payloads originating from WSUS processes.
- Use Threat Intelligence : Incorporate indicators of compromise (IOCs) associated with known exploitation attempts into security tooling.
