Governance & Risk Management
Concerns regarding the exploitation of a critical vulnerability in Windows Server Update Services (WSUS) have intensified following Microsoft’s rapid deployment of a patch last Friday. This patch addresses a flaw that permits unauthenticated attackers to execute arbitrary code, a situation that has raised alarms across the cybersecurity landscape.
The vulnerability, identified as CVE-2025-59287, stems from a “legacy serialization mechanism” within WSUS, a tool designed for managing Microsoft updates. Notably, WSUS is no longer actively developed, which adds to the complexity of the situation.
The Cybersecurity and Infrastructure Security Agency (CISA) has included this vulnerability in its Known Exploited Vulnerabilities catalog, underscoring the urgency of the matter. Cybersecurity firms, including Eye Security and Palo Alto Networks’ Unit 42, have reported active exploitation attempts, revealing that thousands of WSUS instances are exposed to the internet. Unit 42 has characterized these attacks as primarily reconnaissance activities, potentially serving as a precursor to more extensive network compromises.
Justin Moore, senior manager of threat intelligence research at Unit 42, highlighted the severity of the threat: “By compromising a single server, an attacker could gain control over the entire patch distribution system, enabling them to execute an internal supply chain attack.” This scenario poses a significant risk, as it allows attackers to distribute malware across every workstation and server within an organization, all while masquerading as legitimate Microsoft updates. “This turns the trusted service into a weapon of mass distribution,” Moore added.
In response to the vulnerability, both the Canadian Center for Cybersecurity and the Australian Cyber Security Centre have issued alerts, further emphasizing the global implications of the flaw.
Microsoft’s initial attempt to mitigate the risk came on October 15, during a routine Patch Tuesday rollout. However, this patch failed to fully address the issue, allowing a proof of concept published by HawkTrace to gain traction more quickly than anticipated. Moore noted, “In the brief window between the flawed initial patch and the emergency fix, threat actors weaponized this vulnerability almost instantaneously, granting them a critical head start before the complete remediation was available.”
Attackers have several avenues to exploit this vulnerability, including one that leverages the way WSUS deserializes AuthorizationCookie objects. This method enables a threat actor to send “malicious encrypted cookies to the GetCookie() endpoint,” as detailed in a follow-up blog post by HawkTrace. Another potential attack vector involves the ReportingWebService, where unsafe deserialization can be triggered via SoapFormatter.
Moore expressed particular concern about the vulnerability’s target: “The vulnerability is particularly concerning because its target, WSUS, is often neglected. Many IT teams adopt a ‘set it and forget it’ posture, leaving it a vulnerable target. A WSUS server should never be exposed to the Internet; it’s an internal patch system, not a public target.”
