The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert regarding the active exploitation of a critical remote code execution (RCE) vulnerability in Microsoft’s Windows Server Update Services (WSUS). This flaw, identified as CVE-2025-59287, carries a Common Vulnerability Scoring System (CVSS) score of 9.8, indicating its severe impact. It allows unauthenticated attackers to execute arbitrary code with system-level privileges over a network, potentially compromising entire IT infrastructures.
Vulnerability Details
The root cause of this vulnerability lies in the unsafe deserialization of untrusted data within WSUS. Initially addressed during Microsoft’s October Patch Tuesday, the fix was found to be insufficient, necessitating an urgent out-of-band update released on October 23, 2025. This rapid response underscores the critical nature of the flaw and the immediate need for remediation.
Active Exploitation in the Wild
The threat landscape has escalated swiftly, with security firms reporting real-world attacks as early as October 24, 2025. Dutch cybersecurity company Eye Security detected exploitation attempts at 06:55 a.m. UTC on that day. These attacks involved a Base64-encoded .NET payload designed to evade logging mechanisms by executing commands via a custom request header named ‘aaaa’. This sophisticated method highlights the evolving tactics of threat actors in leveraging such vulnerabilities.
Proof-of-Concept Exploits Accelerate Attacks
The release of proof-of-concept (PoC) exploits by researcher Batuhan Er of HawkTrace has further accelerated malicious activities. These PoCs enable attackers to target WSUS servers operating under the SYSTEM account, thereby facilitating unauthorized access and control over affected systems.
CISA’s Response and Mandates
In response to the active exploitation, CISA has added CVE-2025-59287 to its Known Exploited Vulnerabilities (KEV) Catalog. This inclusion mandates that federal agencies apply the necessary patches by November 14, 2025. The directive underscores the high exploitability and low complexity of the vulnerability, as it requires no user interaction or authentication to be exploited.
Risks to Organizations
Organizations that rely on WSUS for centralized patch management are at significant risk. A successful breach could allow attackers to distribute malicious updates across all connected devices, leading to widespread system compromise. The potential for such extensive impact necessitates immediate attention and action from all affected entities.
Affected Systems and Patch Information
The following Windows Server versions are affected by this vulnerability:
– Windows Server 2012: Patch KB5070887 (Standard and Server Core)
– Windows Server 2012 R2: Patch KB5070886 (Standard and Server Core)
– Windows Server 2016: Patch KB5070882 (Standard and Server Core)
– Windows Server 2019: Patch KB5070883 (Standard and Server Core)
– Windows Server 2022: Patch KB5070884 (Standard and Server Core)
– Windows Server 2022, 23H2 Edition: Patch KB5070879 (Server Core installation)
– Windows Server 2025: Patch KB5070881 (Standard and Server Core)
Technical Exploitation Mechanism
The vulnerability exploits a legacy serialization mechanism within the GetCookie() endpoint of WSUS. In this process, encrypted AuthorizationCookie objects are decrypted using AES-128-CBC and deserialized via BinaryFormatter without proper type validation. This oversight opens the door for attackers to execute arbitrary code, leading to full system takeover.
Discovery and Acknowledgment
The issue was first identified by security researchers from CODE WHITE GmbH, including Markus Wulftange, along with independent experts MEOW and f7d8c52bec79e42795cf15888b85cbad. Their contributions have been acknowledged in Microsoft’s advisory, highlighting the collaborative effort in addressing this critical vulnerability.
Mitigation Recommendations
CISA and Microsoft have provided the following recommendations to mitigate the threat:
1. Identify Vulnerable Servers: Conduct scans to detect servers with the WSUS role enabled and open ports 8530/8531.
2. Apply the Out-of-Band Patch: Immediately install the October 23, 2025, out-of-band patch and reboot the systems to ensure full mitigation. Delaying this action could expose networks to unauthenticated RCE attacks.
3. Implement Temporary Workarounds: If immediate patching is not feasible, consider disabling the WSUS role or blocking inbound traffic to the affected ports at the host firewall. These measures should remain in place until the update is applied.
4. Update All Windows Servers: Ensure that all Windows Servers are updated and rebooted post-installation to maintain a secure environment.
5. Deploy Monitoring Tools: Utilize monitoring tools to detect anomalous WSUS traffic, such as unusual GetCookie() requests or Base64 payloads, which may indicate exploitation attempts.
Conclusion
The active exploitation of CVE-2025-59287 poses a significant threat to organizations utilizing WSUS for patch management. Immediate action is required to apply the necessary patches and implement recommended mitigations to protect IT infrastructures from potential compromise. Staying vigilant and proactive in addressing such vulnerabilities is crucial in maintaining a secure and resilient network environment.
