Critical Vulnerability in WSUS Prompting Urgent Action
On Thursday, Microsoft took decisive action by rolling out out-of-band security updates to address a critical vulnerability in the Windows Server Update Service (WSUS). This vulnerability, identified as CVE-2025-59287, has a CVSS score of 9.8 and is currently being exploited in the wild, with a proof-of-concept (PoC) exploit now publicly available.
The flaw, which was initially addressed in last week’s Patch Tuesday update, allows unauthorized attackers to execute remote code due to unsafe deserialization of untrusted data within WSUS. Notably, this vulnerability does not affect Windows servers lacking the WSUS Server Role.
Three security researchers—MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange from CODE WHITE GmbH—have been credited with discovering and reporting this critical issue. In a potential attack scenario, a remote, unauthenticated attacker could exploit this flaw by sending a specially crafted event that triggers unsafe object deserialization, leading to remote code execution.
Batuhan Er, a researcher at HawkTrace, elaborated on the nature of the vulnerability, stating that it stems from the unsafe deserialization of AuthorizationCookie objects sent to the GetCookie() endpoint. The process involves decrypting cookie data using AES-128-CBC and subsequently deserializing it through BinaryFormatter without adequate type validation, thereby enabling remote code execution with SYSTEM privileges.
Microsoft has previously advised developers against using BinaryFormatter for deserialization due to its inherent risks when handling untrusted input. In fact, an implementation of BinaryFormatter was removed from .NET 9 in August 2024, underscoring the importance of secure coding practices.
To effectively mitigate the risks associated with CVE-2025-59287, Microsoft has issued an out-of-band security update for various supported versions of Windows Server, including:
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025 (23H2 Edition, Server Core installation)
Once the patch is applied, a system reboot is recommended for the changes to take effect. For those unable to implement the update immediately, Microsoft has suggested alternative protective measures:
- Disable the WSUS Server Role on the server if it is enabled.
- Block inbound traffic to Ports 8530 and 8531 on the host firewall.
Microsoft cautioned users against reversing these workarounds until after the update has been successfully installed. The urgency of this situation has been underscored by the Dutch National Cyber Security Centre (NCSC), which reported that exploitation of CVE-2025-59287 was observed on the same day the updates were released.
Eye Security, which alerted NCSC-NL to the active exploitation, noted that they first detected the vulnerability being misused at 06:55 a.m. UTC. The malicious payload, a Base64-encoded .NET executable, utilizes a request header named ‘aaaa’ to execute commands directly via cmd.exe, cleverly avoiding direct logging of the commands.
Piet Kerkhofs, CTO of Eye Security, remarked on the payload’s design, emphasizing its stealthy approach to command execution. He acknowledged the potential for earlier exploitation, given that the PoC from HawkTrace had been made public just two days prior, providing the necessary tools for attackers.
In response to inquiries, a Microsoft spokesperson confirmed that the company had re-released the CVE after realizing that the initial update did not fully resolve the issue. They reassured customers that those who have installed the latest updates are now protected and reiterated that servers without the WSUS Server Role enabled remain unaffected. Furthermore, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies address it by November 14, 2025.
(The story was updated after publication with additional insights from Eye Security and a response from Microsoft.)
