Microsoft recently issued out-of-band patches to address a critical vulnerability in the Windows Server Update Service (WSUS), identified as CVE-2025-59287. This vulnerability, known for allowing remote code execution with SYSTEM privileges, was not fully rectified by earlier patches released on October 14. As a result, attackers have begun exploiting this flaw in the wild following the revelation of a detailed vulnerability analysis and proof-of-concept exploit.
The problem arises from vulnerable deserialization of the AuthorizationCookie object within WSUS environments, frequently employed by enterprises to manage Microsoft updates for Windows systems effectively. Although WSUS is not enabled by default on Windows servers, it can be activated by enabling the WSUS Server Role.
Microsoft’s initial patch included in its October Patch Tuesday release proved insufficient, necessitating additional updates for several Windows Server versions including Server 2012, 2012 R2, 2016, 2019, 2022 (both Standard and Core installations), and 2025. Organizations are strongly recommended to apply these patches immediately to mitigate risk. Temporary workarounds suggest disabling WSUS or blocking inbound traffic on ports 8530 and 8531, which, however, will render the service non-operational until the complete patches are installed.
Despite the lack of explicit mention of real-world exploitation in Microsoft’s advisory, researchers from the cybersecurity firm Huntress and the Dutch government’s National Cybersecurity Center reported evidence of active attacks. These attacks emerged soon after the exploitation method was disclosed by HawkTrace researchers. Huntress observed that attackers targeted publicly exposed WSUS instances on their default ports, deploying specially crafted requests that triggered the RCE against the update service.
During these exploit attempts, the WSUS worker process was observed to launch command prompt and PowerShell instances, downloading and executing a base64-encoded payload. This was designed to scan the network for servers and gather user information, which was subsequently sent to a remote server controlled by the attackers.
For detailed indicators of compromise and forensic artifacts associated with this exploit, Huntress provides information formatted for the Sigma SIEM detection system.
For further reading, refer to these related resources: