CVE-2025-59287

Windows Server Update Service (WSUS) Remote Code Execution Vulnerability

Stop Guessing, Start Proving

Get Started with a Demo

Active Exploitation Observed

Windows Server Update Services (WSUS) is Microsoft’s on-prem update-management role that downloads, stages, and distributes Windows updates to downstream WSUS servers and Windows machines. 

Horizon3 has observed active exploitation of this vulnerability, and other organizations have started to report the same. This vulnerability was also added to CISA KEV on October 24. 

CODE WHITE discovered that Microsoft’s October 2025 security updates for WSUS inadvertently introduced code that deserializes user-controlled data using SoapFormatter, which is the issue captured by this vulnerability (CVE-2025-59287). Exploiting this flaw could lead to remote code execution. By comparing WSUS versions, CODE WHITE found that the vulnerability was introduced between September 2025 (10.0.20348.2849) and October 2025 (10.0.20348.4294). 

CVE-2025-59287 is a critical unsafe-deserialization / remote code execution flaw in WSUS’s handling of an AuthorizationCookie object; a specially crafted request can cause the server to deserialize attacker-controlled data and execute code as SYSTEM. The vulnerability can be triggered over the network with no user interaction; Microsoft treats it as high urgency and released another out-of-band update on October 23, 2025 after an earlier advisory and patch. 

The October 23 out-of-band patch released by Microsoft removed the vulnerable code. Therefore, the only affected systems are those running the scheduled October updates, essentially systems updated between October 14 and October 23. Systems that remained on the September patches are not affected.

Impact

Successful exploitation of a WSUS server can lead to an attacker gaining access to: 

  • Gain broad domain footholds
  • Access sensitive data 
  • Move laterally and pivot to downstream clients
  • Weaponize the update infrastructure to distribute malicious updates
    • Through elevated access to signed update packages
    • Access to patch metadata

Mitigations

If the October scheduled patches have not yet been applied, it is strongly recommended you update Windows Server Update Services (WSUS) directly to the October 23, 2025 out-of-band update. If the October patches are already installed, apply the October 23, 2025 out-of-band update as soon as possible.

If immediately unable to patch, apply these workarounds and do not undo them until after patching:

  • If the WSUS Server Role is enabled on your server, disable it. Note that clients will no longer receive updates from the server if WSUS is disabled.
  • Block inbound traffic to Ports 8530 and 8531 on the host firewall (as opposed to blocking only at the network/perimeter firewall) to render WSUS non-operational.

Read about other CVEs

NodeZero® Platform

Implement a continuous find, fix, and verify loop with NodeZero

The NodeZero® platform empowers your organization to reduce your security risks by autonomously finding exploitable weaknesses in your network, giving you detailed guidance around how to priortize and fix them, and having you immediately verify that your fixes are effective.
Explore NodeZero

Recognized By