On October 24, 2025, Microsoft issued an out-of-band security update to address a critical vulnerability in the Windows Server Update Service (WSUS). This flaw, identified as CVE-2025-59287 with a CVSS score of 9.8, has been actively exploited in the wild, prompting immediate action from the tech giant.
Understanding the Vulnerability
CVE-2025-59287 is a remote code execution vulnerability stemming from the deserialization of untrusted data within WSUS. In practical terms, this means that an unauthenticated attacker could send a specially crafted event to the WSUS server, triggering unsafe object deserialization. This process could lead to the execution of arbitrary code with SYSTEM privileges, granting the attacker full control over the affected server.
The vulnerability specifically affects Windows servers with the WSUS Server Role enabled. Servers without this role are not impacted. The flaw was initially addressed in Microsoft’s Patch Tuesday update earlier in October. However, the emergence of a proof-of-concept exploit and reports of active exploitation necessitated this emergency patch.
Discovery and Reporting
The vulnerability was discovered and reported by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange from CODE WHITE GmbH. Their findings highlighted the risks associated with the deserialization of AuthorizationCookie objects sent to the GetCookie() endpoint in WSUS. The process involves decrypting cookie data using AES-128-CBC and deserializing it through BinaryFormatter without proper type validation, thereby enabling remote code execution.
It’s noteworthy that Microsoft had previously advised developers against using BinaryFormatter for deserialization due to security concerns. In August 2024, the implementation of BinaryFormatter was removed from .NET 9 to mitigate such risks.
Microsoft’s Response
In response to the active exploitation of CVE-2025-59287, Microsoft released an out-of-band security update for several supported versions of Windows Server, including:
– Windows Server 2012
– Windows Server 2012 R2
– Windows Server 2016
– Windows Server 2019
– Windows Server 2022
– Windows Server 2022, 23H2 Edition (Server Core installation)
– Windows Server 2025
After applying the patch, Microsoft recommends performing a system reboot to ensure the update takes effect.
Mitigation Measures
For organizations unable to immediately apply the security update, Microsoft suggests the following temporary mitigation measures:
1. Disable WSUS Server Role: If the WSUS Server Role is enabled, consider disabling it until the patch can be applied.
2. Block Inbound Traffic: Configure the host firewall to block inbound traffic on ports 8530 and 8531, which are used by WSUS.
Microsoft advises against reversing these workarounds until the security update has been successfully installed.
Active Exploitation Observed
The Dutch National Cyber Security Centre (NCSC) reported that it learned from a trusted partner about the abuse of CVE-2025-59287 on October 24, 2025. Eye Security, the firm that notified NCSC-NL, observed the vulnerability being exploited to deploy a Base64-encoded payload targeting an unnamed customer. The payload, a .NET executable, utilizes a specific request header to execute commands via cmd.exe, effectively concealing the commands from appearing directly in logs.
Broader Context
This incident underscores the critical importance of timely patching and vigilant monitoring of server roles and configurations. WSUS, a vital component for managing and distributing updates in Windows environments, can become a significant security liability if vulnerabilities are not promptly addressed.
Organizations are urged to assess their systems for the presence of the WSUS Server Role and apply the necessary updates without delay. Additionally, reviewing and implementing Microsoft’s security best practices can help mitigate the risk of similar vulnerabilities in the future.
Conclusion
The active exploitation of CVE-2025-59287 highlights the ever-present threats in the cybersecurity landscape. Microsoft’s swift response with an emergency patch is a crucial step in protecting systems worldwide. However, the responsibility also lies with organizations to ensure that such patches are applied promptly and that interim mitigation measures are implemented as needed.
Staying informed about emerging vulnerabilities and maintaining a proactive approach to system security are essential strategies in safeguarding against potential exploits.
