On Thursday, Microsoft issued an urgent out-of-band security update to address a critical-severity vulnerability in the Windows Server Update Service (WSUS). This vulnerability, designated as CVE-2025-59287, poses a significant threat with a CVSS score of 9.8 and has been identified as a remote code execution flaw. The vulnerability has already been exploited in the wild, with a proof-of-concept (PoC) exploit made publicly available.
The vulnerability in question allows unauthorized attackers to execute malicious code over a network by exploiting a case of unsafe deserialization of untrusted data in WSUS. This flaw was initially addressed in Microsoft's recent Patch Tuesday update, but further scrutiny revealed that it required additional remediation.
Three security researchers—MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange from CODE WHITE GmbH—were instrumental in identifying and reporting the bug. Their findings indicate that a remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization within a legacy serialization mechanism, ultimately leading to remote code execution.
According to Batuhan Er, a security researcher at HawkTrace, the flaw stems from the unsafe deserialization of AuthorizationCookie objects sent to the GetCookie() endpoint. During this process, encrypted cookie data is decrypted using AES-128-CBC and subsequently deserialized using BinaryFormatter without adequate type validation. This oversight allows attackers to execute code with SYSTEM privileges.
Microsoft had previously advised developers to avoid using BinaryFormatter for deserialization due to inherent safety risks with untrusted input. The company has since removed the implementation of BinaryFormatter from .NET 9, effective August 2024.
To fully address CVE-2025-59287, Microsoft has released an out-of-band security update for several supported versions of Windows Server: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022 (23H2 Edition, Server Core installation), and Windows Server 2025. Users are advised to reboot their systems after applying the patch for it to take effect.
If immediate application of the out-of-band update is not feasible, users can take alternative precautions such as:
Disabling the WSUS Server Role on the server (if enabled) Blocking inbound traffic to ports 8530 and 8531 on the host firewallMicrosoft warns users not to reverse these workarounds until after the update has been installed.
The urgency of this update is underscored by reports from the Dutch National Cyber Security Centre (NCSC), which indicated that exploitation of CVE-2025-59287 was detected on October 24, 2025. Eye Security, which alerted NCSC-NL, reported observing the vulnerability being exploited at 06:55 a.m. UTC. The malicious payload delivered was a .NET executable that utilizes the value from the 'aaaa' request header to execute commands via cmd.exe without logging the commands directly.
Piet Kerkhofs, CTO of Eye Security, noted that the PoC exploit made available by HawkTrace just two days prior facilitated this exploitation. Microsoft acknowledged the seriousness of the vulnerability, stating that they re-released the CVE after identifying that the initial update did not fully mitigate the issue. They emphasized that servers without the WSUS Server Role enabled are not affected by this vulnerability.
Given the availability of a proof-of-concept exploit and confirmed exploitation activity, it is critical for users to apply the security patch without delay to mitigate potential threats. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also included this vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, mandating that federal agencies remediate it by November 14, 2025.
In conclusion, users are urged to remain vigilant and proactive in securing their systems against this significant threat to ensure the integrity and security of their Windows Server environments.
