Microsoft Issues Emergency Patch for Windows Server Update Services RCE Vulnerability CVE-2025-59287

LevelBlue Labs is tracking a severe vulnerability in Windows Server Update Services (WSUS), CVE-2025-59287, that allows attackers to remotely execute code without authentication and is being exploited by threat actors to compromise vulnerable Windows Server users.

Windows Server Update Services (WSUS) is a Microsoft tool that enables IT administrators to manage the distribution of updates and hotfixes released for Microsoft products to computers in a corporate environment. Instead of every device downloading updates directly from Microsoft, WSUS acts as a centralized server that downloads updates once and then distributes them to client machines. This setup helps reduce bandwidth usage, ensures compliance, and gives admins control over what gets installed and when.

Since WSUS is designed for internal network use, it is expected that basic network hygiene is applied and that the server is kept behind a firewall or VPN to block any exploitation attempts. Any client machine communicating with WSUS should use port 8530 for HTTP and port 8531 for HTTPS.

The vulnerability, CVE-2025-59287, is a deserialization vulnerability of data sent to the server through the API. The .NET component is responsible for deserialization, which fails to enforce strict type validation, allowing an unauthenticated attacker to send a crafted request containing a malicious serialized payload that would be executed with SYSTEM privileges.

The vulnerability impacts Windows Server versions from 2012 to 2025 as long as the WSUS Server Role is enabled and the threat actor has access to the server, which should not occur too often.

The severity of the vulnerability resides in the nature of these servers, being a trusted update distribution point. If successfully exploited, these could become a source of a supply chain compromise from inside the organization and quickly move laterally through the network. This vulnerability has quickly escalated its severity and drawn significant attention across cybersecurity communities, not only because of the supply chain implications, but also because of Microsoft’s need to release an out-of-band security update, as we can see in the timeline:

• October 14: Microsoft released an initial patch on Patch Tuesday to address a deserialization vulnerability impacting Reporting WebService objects sent via the SOAP API.
• October 21: The Cybersecurity solutions company Hawktrace published a blog covering the vulnerability and sharing a Proof of Concept (PoC) to send maliciously crafted Authorization cookies that would exploit the vulnerability once deserialized. 
• October 23: Microsoft released an out-of-band security update to patch a vulnerability in the WSUS that is being exploited in the wild.
• October 23 & 24: CISA added CVE-2025-59287 to its Known Exploited Vulnerabilities (KEV) Catalog on October 24, 2025, and several cybersecurity companies reported attacks observed in the wild.
• October 29: CISA finished updating its guidance on the vulnerability.

How do we know if a device is vulnerable?

• Check WSUS Installation via PowerShell: Run the following command ‘Get-WindowsFeature -Name UpdateServices’ to check if WSUS is in an installed state:
• Review Server Manager Dashboard: In Server Manager, confirm whether Windows Server Update Services is enabled as a Server Role.
• Network Traffic Analysis: If WSUS enablement cannot be confirmed through configuration checks, analyze historical network traffic for connections on TCP ports 8530 and 8531. This can help identify undisclosed or forgotten WSUS instances within the environment.

Detections

Monitor for anomalous child processes spawned by WSUS-related executables, particularly wsusservice.exe and w3wp.exe (IIS worker process). These processes should normally handle update synchronization and web service operations, not execute arbitrary commands or launch PowerShell or any other command-line or scripting engines.

Review the released Suricata detection. LevelBlue Labs has released one that looks at potential exploit content in post requests to ReportingWebService.asmx. Additionally, ProofPoint, in its Emerging Threats open detections, has released two rules to detect exploit attempts: one looks at the abovementioned endpoint, while the second looks at ClientWebService/Client.asmx and inspects the cookie’s body.

If the previous methods have not fully clarified whether the device could be infected, LevelBlue recommends a full network telemetry review to identify outbound connections from WSUS to unknown external servers.

All the detections mentioned above are named in Appendix A: Detection methods.

Recommended Actions

1. Apply Microsoft Security Updates: The most effective remediation is to apply Microsoft’s official patches as soon as possible. These updates address the vulnerability and restore secure functionality.
   
   
2. Temporary Workarounds: Disable the WSUS Server Role. This will completely remove the attack surface but will also prevent the distribution of updates and hotfixes to networked systems. Organizations should weigh this against operational requirements.
   
   
3. Block Inbound Traffic to WSUS Ports (TCP on 8350 and 8351) at the Host Level: This approach is more effective than perimeter-only blocking because it mitigates both internal and external attack vectors. Note that this will render WSUS non-operational.

Detection Methods

The following associated detection methods are used by LevelBlue Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

Associated Indicators (IOCs)

The following technical indicators are associated with the reported intelligence.

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

• TA0001: Initial Access
  • T1190: Exploit Public-Facing Application
  • T1195: Supply Chain Compromise
    • T1195.002: Compromise Software Supply Chain
• TA0043: Reconnaissance
  • T1595: Active Scanning
    • T1595.002: Vulnerability Scanning

References

The following list of sources was used by the report author(s) during the collection and analysis process associated with this intelligence report.

1. https://support.microsoft.com/en-us/topic/october-14-2025-kb5066836-os-build-14393-8519-185c51be-5c70-42df-9c96-4f71c02e9b17
2. https://support.microsoft.com/en-us/topic/october-23-2025-kb5070882-os-build-14393-8524-out-of-band-3400c459-db78-48bc-ae69-f61bff15ea7c
3. https://hawktrace.com/blog/CVE-2025-59287-UNAUTH
4. https://www.cisa.gov/news-events/alerts/2025/10/24/microsoft-releases-out-band-security-update-mitigate-windows-server-update-service-vulnerability-cve
5. https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
6. https://x.com/Horizon3ai/status/1981751098999259566

LevelBlue Labs rates sources based on the Intelligence source and information reliability rating system to assess the reliability of the source and the assessed level of confidence we place on the information distributed. The following chart contains the range of possibilities, and the selection applied to this report can be found on Page 1.

Source Reliability

Information Reliability

Feedback

LevelBlue Labs welcomes feedback about the reported intelligence and delivery process. Please contact the LevelBlue Labs report author or contact alienlabs@intl.att.com.