- Cyber Syrup
- Posts
- Microsoft Patches Actively Exploited WSUS Vulnerability
Microsoft Patches Actively Exploited WSUS Vulnerability
Microsoft has released an out-of-band security update to address a critical remote code execution (RCE) vulnerability in Windows Server Update Services
In partnership with
CYBER SYRUP
Delivering the sweetest insights on cybersecurity.
The AI Insights Every Decision Maker Needs
You control budgets, manage pipelines, and make decisions, but you still have trouble keeping up with everything going on in AI. If that sounds like you, don’t worry, you’re not alone – and The Deep View is here to help.
This free, 5-minute-long daily newsletter covers everything you need to know about AI. The biggest developments, the most pressing issues, and how companies from Google and Meta to the hottest startups are using it to reshape their businesses… it’s all broken down for you each and every morning into easy-to-digest snippets.
If you want to up your AI knowledge and stay on the forefront of the industry, you can subscribe to The Deep View right here (it’s free!).
Microsoft Patches Actively Exploited WSUS Vulnerability
Microsoft has released an out-of-band security update to address a critical remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS) after researchers observed active exploitation in the wild. The flaw, tracked as CVE-2025-59287, affects multiple versions of Windows Server, including 2012, 2016, 2019, 2022, and 2025.
The vulnerability, which received a CVSS score of 9.8 (critical), enables remote, unauthenticated attackers to execute arbitrary code with System privileges — one of the highest privilege levels in Windows environments.
Background: What is WSUS?
Windows Server Update Services (WSUS) is a core component of Microsoft’s enterprise patching ecosystem. It allows administrators to centrally manage updates and security patches across corporate networks, ensuring consistent and secure software maintenance.
Due to WSUS’s privileged role in the update infrastructure, a successful compromise could allow attackers to manipulate software updates, deploy malware through trusted channels, or gain administrative control over connected systems.
The Vulnerability Explained
According to Microsoft’s advisory, the issue stems from unsafe object deserialization in a legacy serialization mechanism within WSUS. This flaw allows an attacker to send a maliciously crafted event to a vulnerable server, triggering arbitrary code execution.
“A remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism, resulting in remote code execution,” Microsoft stated.
On October 18, security firm HawkTrace publicly disclosed technical details and a proof-of-concept (PoC) exploit, demonstrating how an unauthenticated attacker could exploit the bug to run code with elevated privileges.
Active Exploitation Confirmed
Within days of the PoC release, Eye Security and the Dutch National Cyber Security Centre (NCSC-NL) reported active exploitation of CVE-2025-59287. Researchers estimate that approximately 2,500 WSUS instances remain exposed worldwide, leaving many organizations vulnerable to compromise.
Microsoft updated its advisory on October 23 to reflect these developments and issued out-of-band updates to fully mitigate the vulnerability. While WSUS is not enabled by default, organizations that have deployed the WSUS Server Role are urged to patch immediately.
Mitigation and Recommendations
Microsoft advises all affected organizations to:
Apply the latest security updates immediately.
Disable the WSUS Server Role temporarily if immediate patching is not possible.
Restrict network access to WSUS servers and monitor for suspicious activity.
While Microsoft’s advisory lists the vulnerability as “Exploitation More Likely”, independent reports have confirmed that threat actors are already targeting unpatched systems.
Organizations are strongly encouraged to act quickly to prevent further exploitation and to verify that their WSUS infrastructure is fully secured.