SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Critical Windows Server WSUS Vulnerability Exploited in the Wild 

CVE-2025-59287 allows a remote, unauthenticated attacker to execute arbitrary code and a PoC exploit is available.
Windows security

Microsoft on Thursday released out-of-band updates to patch a critical vulnerability impacting the Windows Server Update Service (WSUS), and exploitation of the flaw was seen just hours later. 

WSUS is a component of the Windows Server operating system that allows IT administrators to centrally manage and distribute Microsoft product updates and patches within a corporate network. 

In an advisory released on Patch Tuesday, Microsoft informed customers about CVE-2025-59287, a WSUS remote code execution vulnerability impacting Windows Server 2012, 2016, 2019, 2022 and 2025.

The tech giant updated its advisory on October 23 to warn users about the public availability of a PoC exploit and to inform them about the release of an additional update that should fully address CVE-2025-59287.

“A remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism, resulting in remote code execution,” Microsoft said. 

Technical details and a PoC exploit targeting CVE-2025-59287 were published on October 18 by security firm HawkTrace, which warned that an unauthenticated hacker can exploit the flaw to execute arbitrary code with System privileges. 

Advertisement. Scroll to continue reading.

Eye Security warned on Friday that it has seen in-the-wild exploitation of CVE-2025-59287, and noted that roughly 2,500 WSUS instances from around the world are still exposed to attacks.

The Dutch government’s National Cyber Security Centre also reported on Friday that it has become aware of active exploitation.

CVE-2025-59287 is related to the WSUS Server Role, which is not enabled by default on Windows Server. Disabling the WSUS Server Role serves as a temporary mitigation until the patch can be deployed.

Microsoft’s advisory carries an ‘exploitation more likely’ assessment, but it does not confirm active exploitation of the vulnerability.  

Related: Pwn2Own WhatsApp Hacker Says Exploit Privately Disclosed to Meta

Related: ‘Highest Ever’ Severity Score Assigned by Microsoft to ASP.NET Core Vulnerability

Related: Microsoft Disables Downloaded File Previews to Block NTLM Hash Leaks

Written By

Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: A Step-by-Step Approach to AI Governance
April 28, 2026

With "Shadow AI" usage becoming prevalent in organizations, learn how to balance the need for rapid experimentation with the rigorous controls required for enterprise-grade deployment.

Register

Virtual Event: Threat Detection and Incident Response Summit
May 20, 2026

Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization.

Register

People on the Move

Neill Feather has been named Chief Executive Officer at Point Wild.

Oasis Security has appointed Michael DeCesare as President.

Sterling Wilson has joined IGEL as Global Field CTO, Business Continuity and Disaster Recovery.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.