Network defenders are urged to address a newly discovered critical vulnerability in Windows Server Update Services (WSUS) that is currently being exploited. Microsoft released an out-of-band update to rectify this issue last Thursday, coinciding with reports from Huntress of threat actors actively targeting WSUS instances accessible through their default ports, 8530 and 8531.
The vulnerability, identified as CVE-2025-59287, is characterized as a "deserialization of untrusted data vulnerability" that enables remote code execution (RCE). According to HawkTrace, this flaw allows an unauthenticated attacker to execute arbitrary code with system privileges simply by sending malicious cookies to the GetCookie() endpoint, without requiring any user interaction or special privileges.
The US Cybersecurity and Infrastructure Security Agency (CISA) added this CVE to its Known Exploited Vulnerabilities (KEV) catalog on Friday, highlighting significant risks to federal agencies, which must apply patches by November 14.
WSUS, although not enabled by default, is widely used by IT administrators to manage and distribute Microsoft product updates across networked computers, increasing the stakes of this vulnerability. Patrick Münch, CISO at Mondoo, noted that a compromised WSUS server could potentially be leveraged to deploy malicious updates to an entire network, making immediate mitigation and rectification of the flaw critical for organizations.
Huntress recommends that Windows Server customers prioritize patching and suggests isolating network access to WSUS as an additional remediation step. This involves ensuring that only necessary management hosts and Microsoft Update servers have access while blocking all other connections to TCP ports 8530 and 8531.
For more information on emergency updates from Microsoft, refer to this article: Microsoft Issues Out-of-Band Update to Fix Recovery Issues.