CVE-2025-59287 is a critical remote code execution (RCE) vulnerability in the Windows Server Update Services (WSUS) role. An attacker who can reach a WSUS server with the vulnerable role enabled can send crafted input that triggers unsafe deserialization, thereby gaining SYSTEM privileges without authentication or user interaction.
The vulnerability carries a CVSS v3.1 score of 9.8. A public proof-of-concept (PoC) is available and CISA confirmed the vulnerability is being actively exploited, prompting an out-of-band (OOB) patch from Microsoft. For organisations relying on WSUS, the risk is particularly high because a compromised WSUS server can act as a pivot or distribution point for malicious updates across the enterprise.
Affected Systems
The issue affects Windows Server platforms where the WSUS Server Role is installed and enabled. Specifically:
- Windows Server 2012 and 2012 R2 (including Server Core)
- Windows Server 2016 (including Server Core)
- Windows Server 2019
- Windows Server 2022 (including 23H2 / Server Core)
- Windows Server 2025
If the WSUS role is not enabled, the server is not vulnerable. However once the role is enabled and the patch is not installed, the server becomes exposed.
Root Cause & Attack Mechanism
The vulnerability results from unsafe deserialization of untrusted data: a malicious actor crafts a serialized object (via a cookie or web service input), which when processed by WSUS triggers execution of arbitrary code under SYSTEM privileges.
The attacker simply needs network access to the WSUS endpoint. No authentication or user interaction is required. Once control is achieved, the attacker can exploit the WSUS role to deliver malicious updates to endpoints or replicate downstream across WSUS hierarchies.
Exposure Checklist
- Do we run WSUS on any Windows Server? Which versions?
- Are ports 8530/8531 reachable from untrusted networks (incl. VPN partner segments)?
- Are there upstream/downstream WSUS hierarchies or System Center/3rd-party tooling using WSUS local publishing?
- When was the last WSUS code-signing certificate rotation? (If using local publishing)
Threat Activity
Since the PoC release, threat actors have been scanning for exposed WSUS servers. Reports show multiple organisations being targeted with attempts to exploit the flaw. Because WSUS infrastructure is trusted by design, a successful attack may go unnoticed by traditional endpoint security.
The risk is especially high in environments where WSUS acts as an upstream server to many clients or where patch pipelines are complex and distributed.
Business Impact
A compromised WSUS server can be used to deliver malicious payloads to a wide set of endpoints under the guise of legitimate updates.
Attackers can pivot to sensitive systems (domain controllers, file servers, line-of-business applications). The inherent trust in update infrastructure means detection may be delayed, making remediation harder and increasing reputational, operational and regulatory risks.
Mitigation & Remediation
- The highest priority is to install Microsoft’s OOB patch on all WSUS servers as soon as possible.
- If patching cannot be done immediately, as an interim measure disable the WSUS Server role or block inbound traffic on ports 8530/8531, understanding that doing so will interrupt update delivery to clients.
- After patching, validate all WSUS hosts are updated and rebooted, rotate any WSUS-publishing certificates, restrict WSUS administrative access to trusted management networks and apply segmentation so that only authorised systems can connect to WSUS.
For more details and guidance, please refer to Microsoft’s official updated guide on this vulnerability.
Stay Safe. Stay Secure.
OP Innovate Research Team
