The Cybersecurity and Infrastructure Security Agency (CISA) has taken decisive action by mandating U.S. government agencies to address a critical vulnerability in Windows Server Update Services (WSUS). This vulnerability, identified as CVE-2025-59287, has been added to CISA’s catalog of security flaws that are currently being exploited in various attacks.
This particular vulnerability poses a significant risk as it allows for remote code execution (RCE) on Windows servers equipped with the WSUS Server role, which, notably, is not enabled by default. Attackers can exploit this flaw remotely through low-complexity attacks that do not necessitate user interaction or elevated privileges. Such exploitation can lead to the acquisition of SYSTEM privileges, enabling the execution of malicious code.
In response to the alarming developments, Microsoft swiftly released out-of-band security updates aimed at comprehensively addressing CVE-2025-59287 across all affected Windows Server versions. This action followed the release of proof-of-concept exploit code by cybersecurity firm HawkTrace Security. IT administrators are strongly encouraged to implement these updates without delay.
For those unable to deploy the emergency patches immediately, CISA advises disabling the WSUS Server role on vulnerable systems to mitigate the risk of exploitation.
Active exploitation in the wild
On the same day that patches for CVE-2025-59287 were made available, Huntress, an American cybersecurity firm, detected active exploitation attempts targeting WSUS instances with their default ports (8530/TCP and 8531/TCP) exposed online. Additionally, Dutch cybersecurity firm Eye Security reported scanning and exploitation attempts, noting at least one instance of a customer’s system being compromised through a different exploit than the one disclosed by HawkTrace.
While Microsoft has categorized CVE-2025-59287 as “Exploitation More Likely,” indicating its attractiveness to threat actors, the company has yet to update its security advisory to confirm ongoing exploitation. Meanwhile, the Shadowserver Internet watchdog group is monitoring over 2,800 WSUS instances with their default ports exposed online, though it remains unclear how many of these have been patched.
Federal agencies ordered to patch
On Friday, CISA expanded its focus by adding a second vulnerability affecting Adobe Commerce (formerly Magento) stores, which has also been flagged as exploited in attacks. Both vulnerabilities have been included in the Known Exploited Vulnerabilities catalog, which highlights security flaws currently under active exploitation.
In accordance with the November 2021 Binding Operational Directive (BOD) 22-01, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to patch their systems within three weeks, with a deadline set for November 14th, to safeguard against potential breaches. While this directive specifically targets U.S. government agencies, all IT administrators and cybersecurity professionals are urged to prioritize the patching of these vulnerabilities promptly.
CISA emphasizes the importance of addressing such vulnerabilities, stating, “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” The agency strongly advises organizations to implement Microsoft’s updated guidance on the WSUS Remote Code Execution Vulnerability to mitigate the risk of unauthorized remote code execution with system privileges.
To ensure comprehensive protection, CISA recommends that network defenders identify all vulnerable servers, apply the out-of-band security updates for CVE-2025-59287, and reboot the WSUS servers post-installation to complete the mitigation process and secure the remaining Windows servers.
