Microsoft has recently issued out-of-band security updates to address a critical-severity vulnerability in the Windows Server Update Service (WSUS), identified as CVE-2025-59287. This vulnerability, rated at a CVSS score of 9.8, allows for remote code execution through a flaw originally patched during last week’s Patch Tuesday.
The exploitation of this vulnerability is particularly concerning as proof-of-concept (PoC) exploits have become publicly available and there are confirmed cases of active exploitation in the wild. Three security researchers, recognized for reporting the flaw, discovered that it stems from the unsafe deserialization of untrusted data within WSUS. The issues specifically allow unauthorized attackers to execute code over a network, although it does not affect Windows servers lacking the WSUS Server Role.
In a typical attack scenario, a remote attacker could send crafted events that exploit the deserialization flaw related to AuthorizationCookie objects used in the GetCookie() endpoint. This flaw could enable an attacker to execute code with SYSTEM privileges.
Microsoft has highlighted the importance of ceasing the use of the BinaryFormatter method for deserialization due to its inherent risks when used with untrusted input. Following its recommendation, the BinaryFormatter was removed from .NET 9 in August 2024.
To mitigate the risks posed by CVE-2025-59287, Microsoft has provided security updates for supported Windows Server versions, including:
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2022, 23H2 Edition
Users are advised to reboot their systems after applying the patch. If immediate installation of the patch is not feasible, Microsoft suggests disabling the WSUS Server Role (if activated) and blocking inbound traffic to ports 8530 and 8531 until the update is applied.
The development comes in light of intelligence from the Dutch National Cyber Security Centre (NCSC), which was informed of exploitation attempts of CVE-2025-59287 earlier this week. Cybersecurity firm Eye Security confirmed that abuse of the vulnerability was observed, utilizing a Base64-encoded payload targeting specific servers.
As the threat landscape evolves, it is critical for users and organizations to stay updated with the latest patches and follow security best practices to protect their systems from exploitative activities. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also marked this vulnerability as part of its Known Exploited Vulnerabilities catalog, emphasizing the urgency for remediation by November 14, 2025.