Microsoft has rolled out a new emergency update to fix a severe flaw in its Windows Server Update Service, known as CVE-2025-59287, after cybersecurity researchers reported active exploitation in the wild. The flaw allows attackers to remotely execute code on vulnerable systems, putting enterprise networks at serious risk.
WSUS Vulnerability Poses Serious Risk to Organizations
CVE-2025-59287 affects the Windows Server Update Service, a key tool used by administrators to manage and deploy software patches, hotfixes, and service packs. The vulnerability, rated 9.8 out of 10 on the CVSS scale, allows attackers to exploit unsafe object deserialization in a legacy serialization system.
Security companies warned that exploitation started almost immediately after Microsoft’s initial October patch. Huntress researchers noted that threat actors are actively scanning publicly exposed WSUS instances on default ports 8530 and 8531.
Horizon3 analysts added, “We expect more attacker activity for this vulnerability to hit CISA KEV very soon, as more organizations are being affected.” The Cybersecurity and Infrastructure Security Agency (CISA) promptly added the flaw to its Known Exploited Vulnerabilities Catalog.
Microsoft Rereleases Patch After Initial Update Fell Short
Microsoft initially issued a patch during October’s Patch Tuesday, but the company confirmed the update did not fully mitigate the issue. The rereleased emergency patch aims to provide comprehensive protection. A Microsoft spokesperson told reporters that systems with the latest update are now safe, but did not specify what was missing from the first patch.
Cybersecurity firm Hawktrace highlighted the technical cause of the flaw. Batuhan Er, a Hawktrace researcher, explained that the vulnerability arises from AuthorizationCookie objects processed by the GetCookie() endpoint. The objects are deserialized using BinaryFormatter without proper type validation, allowing attackers to execute malicious code.
Permanent mitigation requires replacing BinaryFormatter with secure serialization mechanisms, implementing strict type validation, and enforcing input sanitization on all cookie data.
Who is at Risk and How to Mitigate Now
The vulnerability only affects systems where the WSUS Server Role is enabled, which is not the default setting in Windows Server. Organizations using WSUS should check their configurations immediately.
Microsoft also suggested temporary mitigations, including:
Disabling the WSUS Server Role if not actively needed
Blocking inbound traffic on ports 8530 and 8531 using host firewalls
These steps can limit exposure while administrators apply the updated patch.
Exploitation Already Underway
Researchers have observed that attackers are actively targeting WSUS servers exposed to the internet. Huntress reported exploitation activity began the same day Microsoft released the emergency update, emphasizing the urgency for organizations to act immediately.
Threat actors may use publicly available proof-of-concept exploits to compromise vulnerable systems. This fast-moving situation highlights the ongoing risks in enterprise networks where legacy systems or misconfigured servers remain online.
Table: Quick Reference for WSUS CVE-2025-59287
| Detail | Information |
|---|---|
| CVE | 2025-59287 |
| Severity | 9.8 CVSS |
| Affected Component | Windows Server Update Service (WSUS) |
| Default Ports | 8530, 8531 |
| Mitigation | Apply updated patch, disable WSUS role, block ports |
| Exploitation | Observed in the wild starting Oct 23-24 |
Immediate Actions for IT Teams
Security experts urge administrators to verify their patch status immediately. Any WSUS server that has not received the latest update is considered high risk. Beyond patching, auditing exposed servers and reviewing firewall rules can prevent exploitation.
This vulnerability is a stark reminder of the critical importance of timely patch management and careful configuration of update services in enterprise networks.
Microsoft continues to monitor activity and advises organizations to stay alert. With active exploitation reported, even brief delays in updating could have serious consequences.
CVE-2025-59287 underscores a broader trend: attackers increasingly target critical update mechanisms to gain access to enterprise systems. Organizations should ensure not only patching but also proper segmentation and monitoring of servers exposed to the internet.
The speed and intensity of attacks on WSUS servers make it clear that applying the new update without delay is not optional. Enterprises should review their internal monitoring, firewall rules, and WSUS configurations today to prevent any potential breaches.
The window for defense is narrow, and every hour counts. Are your systems fully protected? Share this information with your colleagues to ensure teams act fast and secure their networks against CVE-2025-59287.
