Microsoft on Thursday released an out-of-band security update to patch a critical Windows Server Update Service (WSUS) vulnerability with a publicly available proof-of-concept (PoC) exploit and it comes under active exploitation in the wild.
The vulnerability in question is CVE-2025-59287 (CVSS Score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of a Patch Tuesday update published last week.
Three security researchers, MEOW, f7d8c52bec79e42795cf15888b85c Bad, and Markus Wolftanz with Code White GmbH are honored for discovering and reporting the bug.
This vulnerability is related to an issue with untrusted data deserialization in WSUS that could allow an unauthenticated attacker to execute code over the network. It’s worth noting that the vulnerability does not affect Windows Servers that do not have the WSUS server role enabled.
In a hypothetical attack scenario, a remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a “legacy serialization mechanism”, leading to remote code execution.
According to Hawktrace security researcher Batuhan Er, the issue arises from “insecure deserialization of AuthorizationCookie objects sent to the GetCookie() endpoint, where the encrypted cookie data is decrypted using AES-128-CBC and subsequently via BinaryFormatter without the proper type validation. Deserialized, enabling remote code execution with system privileges.”
It’s worth noting that Microsoft already recommended developers to stop using BinaryFormatter for deserialization, due to the fact that this method is not safe when used with untrusted input. The implementation of BinaryFormatter was later removed from .NET 9 in August 2024.
|
| .NET executable deployed via CVE‑2025‑59287 |
Redmond said in an update, “To comprehensively address CVE-2025-59287, Microsoft has released an out-of-band security update for the following supported versions of Windows Server: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022, 23H2 edition (Server Core installation), and Windows Server 2025.”
Once the patch is installed, it is recommended to reboot the system for the update to take effect. If out-of-band enforcement is not an option, users can take any of the following actions to avoid the fault –
- Disable WSUS Server role in Server (if enabled)
- Block incoming traffic on ports 8530 and 8531 on the host firewall
“Do not undo any of these fixes until you have installed the update,” Microsoft warns.
The development comes as the Dutch National Cyber Security Center (NCSC) said it “learned from a trusted partner that an exploit of CVE-2025-59287 was observed on October 24, 2025.”
iSecurity, which notified NCSC-NL about the in-the-wild exploit, said it first noticed the vulnerability being abused to drop a Base64-encoded payload targeting an anonymous customer at 06:55 a.m. UTC. The payload, a .NET executable, “takes the value ‘aaa’ request header and runs it directly using cmd.exe.”
“This is the payload that is being sent to the server, which uses the request header with the name ‘aaa’ as the source of the command to be executed,” Piet Kerkhofs, CTO of iSecurity, told The Hacker News. “This avoids the commands appearing directly in the log.”
When asked if the exploit could have existed before today, Kerkhofs explained that “the POC was released by Hawktrace two days ago, and it can use a standard ysoserial .NET payload, so yes, the pieces for the exploit were there.”
Cybersecurity firm Huntress also said it detected threat actors targeting publicly exposed WSUS instances on their default ports (8530/TCP and 8531/TCP) around 2025-10-23 23:34 UTC. However, it noted that the utility of CVE-2025-59287 is likely to be limited, given that WSUS is not frequently exposing ports 8530 and 8531.
“Attackers leveraged exposed WSUS endpoints to send specially crafted requests (multiple POST calls to WSUS web services), triggering a deserialization RCE against the update service,” it says.
The exploit activity resulted in the WSUS worker process spawning “cmd.exe” and PowerShell instances, causing the download and execution of a Base64-encoded PowerShell payload with the goal of enumerating exposed servers for network and user information and sending the results to an attacker-controlled webhook.[.]SITE URL.
When contacted for comment, a Microsoft spokesperson told the publication that “We re-released this CVE after identifying that the initial update did not fully mitigate the issue. Customers who have installed the latest updates are already protected.”
The company also stressed that this issue does not affect servers that do not have the WSUS server role enabled and recommended affected customers to follow the guidance on its CVE page.
Given the availability of PoC exploits and the identified exploit activity, it is essential that users apply patches as soon as possible to mitigate the threat. The US Cybersecurity and Infrastructure Security Agency (CISA) has also added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to fix it by November 14, 2025.
(The story was updated after publication with additional information from iSecurity, Huntress, and Microsoft’s response.)
