Microsoft has released out-of-band security updates to address a critical flaw in Windows Server Update Services (WSUS), tracked as CVE-2025-59287. The vulnerability enables unauthenticated remote code execution (RCE) with SYSTEM-level privileges. A public proof-of-concept (PoC) already exists, and security firms report early signs of exploitation in the wild, elevating patch urgency for organizations relying on WSUS.
What CVE-2025-59287 is and why it matters
WSUS is the Windows Server component used to centrally approve and distribute updates across enterprise networks. According to Microsoft, an attacker can submit a specially crafted event that triggers insecure deserialization in a legacy serialization mechanism, resulting in arbitrary code execution. Deserialization is the process of converting data into objects; when input is not validated, adversaries can smuggle malicious objects that the server then executes.
In this case, successful exploitation grants code execution as SYSTEM on a WSUS server—a highly privileged foothold that can facilitate lateral movement and compromise of update workflows. Because WSUS servers commonly synchronize with each other, the weakness increases the risk of worm-like propagation between WSUS instances if not remediated quickly.
Affected systems and Microsoft guidance
Only Windows Server installations with the WSUS Server Role enabled are vulnerable. The role is disabled by default. Microsoft emphasizes: “Windows servers without the WSUS Server Role enabled are not vulnerable. If the WSUS role is enabled, the server is vulnerable. If you plan to enable the role, install the patch first, otherwise the server becomes vulnerable immediately upon activation.”
Updates are available for all supported Windows Server versions that offer the WSUS role. To reduce the attack surface, Microsoft has also temporarily suppressed detailed WSUS synchronization error messages after installing this or later updates, closing off an observed exploitation vector associated with CVE-2025-59287.
Temporary mitigations: WSUS ports 8530/8531
If immediate patching is not feasible, Microsoft recommends either disabling the WSUS role or blocking inbound traffic to TCP 8530 and 8531. These ports are the default WSUS HTTP/HTTPS endpoints. Administrators should note that doing so will render WSUS unavailable, and client devices will no longer receive updates from the local server until normal operations are restored.
Evidence of exploitation in the wild
Threat intelligence from Eye Security indicates active scanning and exploitation attempts against CVE-2025-59287. The company reports at least one compromised client system targeted with an exploit distinct from the publicly released PoC. Although WSUS is typically not internet-exposed, Eye Security identified roughly 2,500 publicly accessible WSUS instances globally.
Huntress similarly reports attacks probing WSUS servers with open ports 8530/8531. While current exploitation may be limited in scope, Huntress identified approximately 25 vulnerable hosts in its partner base. Observed attacker behavior included PowerShell reconnaissance for domain information (for example, account data, domain users, and network configuration) with results exfiltrated to an external webhook.
Immediate actions for Windows Server administrators
1) Patch now: Apply Microsoft’s out-of-band updates on all servers with the WSUS Server Role enabled—and on any server where enabling the role is planned. Use standard Microsoft update channels.
2) Reduce exposure: If patching must be delayed, temporarily disable WSUS or block inbound traffic to TCP 8530/8531. Understand that this interrupts local update distribution to endpoints.
3) Monitor and respond: Review WSUS/IIS and PowerShell logs for anomalous requests, unexpected command execution, and external webhook callbacks. Pay special attention to activities running with SYSTEM privileges.
4) Minimize attack surface: Keep WSUS internal-only, enforce least privilege, segment networks, and monitor egress to unknown domains. Regularly audit firewall rules and access policies to prevent inadvertent internet exposure.
CVE-2025-59287 directly targets a core element of enterprise patch management. Combined with a public PoC and signs of active exploitation, the risk profile is high. Organizations should prioritize installing Microsoft’s updates, verify that ports 8530/8531 are not internet-exposed, and enhance monitoring for suspicious WSUS and PowerShell activity. Keeping WSUS off the public internet and validating access controls will significantly reduce the likelihood of successful exploitation and follow-on compromise.
