Recently, NSFOCUS CERT identified a critical remote code execution vulnerability in Microsoft’s Windows Server Update Service (WSUS), labeled CVE-2025-59287. This vulnerability arises from the failure of WSUS’s GetCookie function to conduct type verification on incoming objects. This oversight allows an unauthenticated attacker to exploit the server by deserializing malicious data, ultimately gaining remote code execution capabilities. The vulnerability has been assigned a CVSS score of 9.8, indicating its high severity, and a proof of concept (PoC) has already been made public. Affected users are urged to take immediate precautions.
WSUS is designed to help organizations manage and distribute updates for Microsoft products, including security patches for various Microsoft applications such as Windows Operating Systems and Office products.
Affected Versions
The vulnerability affects the following Windows Server versions:
- Windows Server 2012
- Windows Server 2012 (Server Core installation)
- Windows Server 2012 R2
- Windows Server 2012 R2 (Server Core installation)
- Windows Server 2016
- Windows Server 2016 (Server Core installation)
- Windows Server 2019
- Windows Server 2019 (Server Core installation)
- Windows Server 2022
- Windows Server 2022 (Server Core installation)
- Windows Server 2022, 23H2 Edition (Server Core installation)
- Windows Server 2025
- Windows Server 2025 (Server Core installation)
Mitigation
Microsoft has released a security patch to address this vulnerability for supported product versions. Affected users should install the patch as soon as possible. The patch can be accessed through the Microsoft Update Catalog. Users should also verify that the patch has been successfully applied by navigating to “Settings > Update and Security > Windows Update” on their machines.
It is critical to note that patch installations can fail due to various issues, such as network or environmental problems. If an update fails, users should visit the Microsoft Update Catalog to manually download and install the necessary patch.
This advisory serves to inform users of the potential risks associated with this vulnerability. NSFOCUS does not guarantee the accuracy of the information provided and will not be liable for any consequences resulting from its use.