Microsoft has taken decisive action by rolling out an out-of-band security update aimed at addressing the critical CVE-2025-59287 vulnerability. This remote code execution flaw affects the Windows Server Update Services (WSUS), which is currently under active exploitation in the wild.
About CVE-2025-59287
WSUS serves as a vital tool for organizations, enabling them to manage and distribute Microsoft updates across various computers efficiently. Rather than having each individual PC download updates directly from Microsoft’s servers, WSUS centralizes this process by downloading and storing updates, subsequently distributing them to all connected computers within the network.
The vulnerability, CVE-2025-59287, is classified as a critical deserialization of untrusted data flaw. It poses a significant risk, as it may allow unauthorized attackers to execute code on vulnerable machines by sending specially crafted events to the WSUS server, all without requiring any user interaction. Notably, this vulnerability impacts only Windows Server machines with the WSUS Server role enabled, which is not the default setting, according to Microsoft.
Initially addressed during the October 2025 Patch Tuesday, the fix was deemed insufficient, prompting Microsoft to release this additional update. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, has urged administrators to implement the fix promptly, highlighting the wormable nature of the vulnerability and the attractiveness of WSUS servers as targets.
A public PoC, and reports of in-the-wild exploitation
While exploitation of CVE-2025-59287 from the internet should be mitigated with proper network configurations—such as operating WSUS behind a firewall—the German Federal Office for Information Security (BSI) has raised concerns. If an attacker gains access to the internal network or if the perimeter firewall is misconfigured, they could potentially exploit this vulnerability to gain full control of the WSUS server and extend their attack to other services.
Compromised WSUS servers pose a significant threat, as they could be manipulated to distribute malicious updates to client devices. The urgency surrounding the installation of this update has escalated following the publication of a technical analysis and proof-of-concept exploit code by a security researcher earlier this week. Furthermore, the Dutch National Cyber Security Centre has reported that it received information from a trusted partner indicating that exploitation of the vulnerability was observed on October 24, 2025.
Update or disable WSUS
This out-of-band update is available for all supported Windows Server versions, with a requirement for systems to be rebooted post-update. In cases where immediate implementation of the update is not feasible, administrators have the option to temporarily disable the WSUS server role or to render WSUS non-operational by blocking inbound traffic to Ports 8530 and 8531 on the host firewall. However, this would also prevent clients from receiving updates from the server.
Microsoft has clarified that this is a cumulative update, meaning there is no need to apply any previous updates before installing it, as it supersedes all prior updates for affected versions. For those who have yet to install the October 2025 Windows security update, it is recommended to prioritize this out-of-band update instead.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities, and cybersecurity threats. Subscribe here!
