Security researchers at Huntress have detected the real-time exploitation of a remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS), which Microsoft recently addressed with an out-of-band security patch designated as CVE-2025-59287.
WSUS is a crucial tool employed by enterprise administrators to manage and distribute updates throughout corporate networks. The vulnerability arises from an unsafe deserialization bug, which allows unauthorized attackers to execute code remotely with elevated SYSTEM privileges.
Hawktrace, another security firm, has released a technical analysis of this significant vulnerability, issuing a proof-of-concept (PoC) that demonstrates how the exploitation works. Huntress has since confirmed that it has witnessed attacks exploiting this flaw across multiple clients.
Microsoft has rated the vulnerability a critical 9.8 out of 10 in severity. It is now included in the United States Cybersecurity Infrastructure Agency (CISA) catalog of known exploited vulnerabilities.
So far, Huntress has observed active threats utilizing this vulnerability to spawn command prompts and PowerShell instances, which execute Base64-encoded payloads to gather sensitive network and user data. This information is then exfiltrated to a remote webhook site.
Due to the architecture of WSUS servers, typically not exposed to the internet, Huntress anticipates that the incidence of exploitation may be limited. Currently, around 25 hosts are identified as vulnerable within its partner network.
To mitigate risks, Huntress strongly recommends blocking inbound traffic to TCP ports 8530 and 8531 except for management hosts and Microsoft Update servers that genuinely require access to the WSUS environment.
The exploitation leverages a .NET serialization class known as BinaryFormatter, which Microsoft has indicated is inherently insecure and marked for elimination. It was indeed removed in .NET version 9, released in 2024.
Patches addressing this vulnerability are now available for Windows Server versions 2012 to 2025, with required system reboots post-update.