Microsoft has taken decisive action by releasing an out-of-band emergency patch to address a critical remote code execution (RCE) vulnerability affecting Windows Server Update Services (WSUS). This vulnerability, designated CVE-2025-59287, arises from the deserialization of untrusted data within a legacy serialization mechanism, enabling unauthorized attackers to execute arbitrary code over the network.
The patch was made available on October 23, 2025, just days following the initial disclosure of the vulnerability on October 14. Rated critical with a CVSS 3.1 base score of 9.8, this flaw poses a significant risk as it requires no user privileges or interaction, making it highly exploitable with minimal complexity.
Attackers could potentially send crafted events to trigger unsafe deserialization, which may lead to complete system compromise and severe ramifications for confidentiality, integrity, and availability.
Vulnerability Exposes WSUS Servers To Remote Attacks
Although WSUS is not enabled by default on Windows servers, thereby protecting unmodified systems, organizations that actively utilize this server role for update management are at immediate risk if they remain unpatched. Microsoft’s security team has updated the CVE’s temporal score to 8.8 after confirming the existence of proof-of-concept (PoC) exploit code, which elevates the exploitability assessment to “more likely.”
While no active exploitation in the wild has been reported, the public disclosure of PoC code highlights the urgency for administrators to take action. The vulnerability was responsibly reported by researchers from MEOW and CODE WHITE GmbH, including Markus Wulftange, who identified the deserialization weakness linked to CWE-502.
The update released on October 23 is accessible through Windows Update, Microsoft Update, and the Microsoft Update Catalog for standalone downloads. It will also synchronize automatically with WSUS environments; however, installation necessitates a server reboot, which could disrupt operations in production settings.
For organizations unable to patch immediately, Microsoft suggests temporary workarounds: disabling the WSUS server role entirely, which would halt client updates, or blocking inbound traffic to ports 8530 and 8531 at the host firewall level to neutralize the service.
This incident underscores the ongoing challenges associated with legacy components like WSUS, which continue to be relied upon by many enterprises for centralized patch management. Security experts are urging organizations to review their WSUS configurations and prioritize the update to avert potential breaches.
An updated Windows Update offline scan file (Wsusscn2.cab) is now available to assist in detection efforts. As cybersecurity threats continue to evolve, this situation serves as a poignant reminder of the critical importance of timely patching within enterprise environments. Microsoft remains vigilant, monitoring for any emerging exploits.
| Affected Version | Patch KB Number | Notes |
|---|---|---|
| Windows Server 2012 | KB5070887 | Standard and Server Core |
| Windows Server 2012 R2 | KB5070886 | Standard and Server Core |
| Windows Server 2016 | KB5070882 | Standard and Server Core |
| Windows Server 2019 | KB5070883 | Standard and Server Core |
| Windows Server 2022 | KB5070884 | Standard and Server Core |
| Windows Server 2022, 23H2 Edition | KB5070879 | Server Core installation |
| Windows Server 2025 | KB5070881 | Standard and Server Core |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
