Cybersecurity

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding the active exploitation of a critical remote code execution (RCE) vulnerability in Microsoft’s Windows Server Update Services (WSUS).

Identified as CVE-2025-59287, this vulnerability has a CVSS score of 9.8 and enables unauthenticated attackers to execute arbitrary code with system-level privileges across a network.

The flaw originates from unsafe deserialization of untrusted data in WSUS. Although partially addressed in Microsoft’s October Patch Tuesday, an urgent out-of-band update was released on October 23, 2025, following the initial patch’s inadequacy.

Security firms have reported real-world attacks beginning October 24, 2025. Notably, Dutch cybersecurity firm Eye Security observed exploitation attempts at 06:55 a.m. UTC, involving a Base64-encoded .NET payload executing commands via a custom request header.

Proof-of-concept (PoC) exploits recently released have facilitated malicious activity, targeting WSUS servers running under the SYSTEM account.

CISA’s inclusion of CVE-2025-59287 in its Known Exploited Vulnerabilities (KEV) Catalog requires federal agencies to patch by November 14, 2025, due to the high exploitability and low complexity of the vulnerability.

Organizations using WSUS for centralized patch management are at risk, as a breach can allow attackers to distribute malicious updates across connected devices.

Affected Systems:

• Windows Server 2012 – KB5070887 (Standard and Server Core)
• Windows Server 2012 R2 – KB5070886 (Standard and Server Core)
• Windows Server 2016 – KB5070882 (Standard and Server Core)
• Windows Server 2019 – KB5070883 (Standard and Server Core)
• Windows Server 2022 – KB5070884 (Standard and Server Core)
• Windows Server 2022, 23H2 Edition – KB5070879 (Server Core installation)
• Windows Server 2025 – KB5070881 (Standard and Server Core)

The vulnerability exploits a legacy serialization mechanism in the GetCookie() endpoint, decrypting AuthorizationCookie objects using AES-128-CBC and deserializing them without type validation, leading to potential full system takeover.

Security researchers, including those from CODE WHITE GmbH, initially identified the issue, which is documented in Microsoft’s advisory.

Microsoft confirms that servers without the WSUS Server Role are unaffected; however, those with it enabled, especially with ports 8530 or 8531 exposed to the internet, face significant risks.

Malicious actors are reportedly using the PoC to deploy malware, with the potential for extensive lateral movement within enterprise environments.

Mitigations

CISA and Microsoft advise immediate action to mitigate the threat. Organizations should identify vulnerable servers with the WSUS role and open ports 8530/8531, then apply the October 23 out-of-band patch and reboot to ensure full mitigation.

For those unable to patch immediately, temporary measures include disabling the WSUS role or blocking inbound traffic to the affected ports until the update is applied.

Organizations should update all remaining Windows Servers and monitor for unusual WSUS traffic, such as atypical GetCookie() requests or Base64 payloads. Unpatched systems may serve as entry points for advanced threats, particularly in hybrid cloud environments.