Emergency Patch Released for Critical WSUS Vulnerability
Microsoft has issued emergency out-of-band security updates to address CVE-2025-59287, a critical remote code execution vulnerability affecting Windows Server Update Services (WSUS) that's already being actively exploited in the wild. The flaw, with a CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges through unsafe object deserialization in WSUS servers.
'Our morning coffee was rudely interrupted by a critical alert from a customer's WSUS system,' said Bas van den Berg, security researcher at Eye Security, who first documented the in-the-wild exploitation. 'The alert pointed to suspicious activity captured in our EDR's telemetry: whoami.exe had been executed, with w3wp.exe as the parent process. This usually strongly suggests a malicious ASPX webshell.'
How the Exploit Works
The vulnerability resides in the unsafe deserialization of AuthorizationCookie objects in WSUS's BinaryFormatter. Attackers can send specially crafted requests to the ClientWebService/client.asmx endpoint on ports 8530 (HTTP) or 8531 (HTTPS) to trigger remote code execution. Security firm HawkTrace published technical details and a proof-of-concept exploit on October 18, 2025, which initially demonstrated calculator pop-up capabilities.
However, real-world attackers have significantly enhanced the exploit. 'This was very different from the POC by HawkTrace and shows that the threat actor had capabilities beyond that of a script kiddie,' van den Berg noted. The attackers used a ysoserial.net gadget chain with an embedded PE file that takes command input from HTTP headers and executes them via cmd.exe.
Evidence of Active Exploitation
Eye Security's investigation revealed manual reconnaissance activity with commands separated by seconds, indicating hands-on-keyboard operations rather than automated scripts. The attackers used the exploit to run system enumeration commands and potentially prepare for ransomware deployment.
According to CISA, the U.S. Cybersecurity and Infrastructure Security Agency has added this vulnerability to its Known Exploited Vulnerabilities Catalog and requires federal agencies to remediate by November 14, 2025.
Global Impact and Exposure
Initial internet scans revealed approximately 8,000 WSUS servers exposed to the internet, with many belonging to high-value organizations. The Dutch National Cyber Security Centre (NCSC-NL) has also confirmed active exploitation in the Netherlands.
'We've reproduced the exploit chain and with the right invocation of ysoserial.net, we were able to achieve arbitrary remote code execution,' van den Berg emphasized. 'The implications are clear: this is a serious threat that requires immediate action.'
Immediate Recommendations
Microsoft has released patches for all affected Windows Server versions (2025, 2022, 2019, 2016, 2012 R2, and 2012) through KB5070883. Organizations should:
- Apply the emergency patch immediately and reboot affected systems
- Ensure WSUS servers are not exposed to the internet unless absolutely necessary
- Deploy state-of-the-art EDR solutions with human triage capabilities
- Monitor SoftwareDistribution.log for specific Indicators of Compromise
For organizations unable to patch immediately, temporary workarounds include disabling the WSUS Server Role or blocking inbound traffic on ports 8530 and 8531, though this will prevent local endpoints from receiving updates.