Full Report
You didn't have plans, did you? Microsoft has released an out-of-band update to patch a critical vulnerability in Windows Server Update Services (WSUS).…
Analysis Summary
# Vulnerability: Critical RCE in Windows Server Update Services (WSUS)
## CVE Details
- CVE ID: CVE-2025-59287
- CVSS Score: N/A (Maximum severity: "critical")
- CWE: Insecure Deserialization (Implied by flaw description)
## Affected Systems
- Products: Windows Server Update Services (WSUS) component.
- Versions: Windows Server versions 2012 through 2025.
- Configurations: Only servers with the WSUS role enabled are affected.
## Vulnerability Description
The vulnerability is a Remote Code Execution (RCE) flaw stemming from the insecure deserialization of untrusted data within the WSUS service. This mechanism utilizes a "legacy serialization mechanism," allowing an unauthenticated attacker to execute arbitrary code on the server.
## Exploitation
- Status: PoC available
- Complexity: Low (Implied by unauthenticated RCE potential)
- Attack Vector: Network
## Impact
- Confidentiality: High (Likely remote code execution impact)
- Integrity: High (Likely remote code execution impact)
- Availability: High (Likely remote code execution impact/service disruption)
## Remediation
### Patches
- Microsoft released an out-of-band update to patch this vulnerability as part of the cumulative updates (including October's patches if not yet applied).
- A system reboot is required after applying the patch.
### Workarounds
1. **Disable the WSUS Role:** Immediately disable the WSUS role on affected servers. (Note: This will prevent client updates from the server.)
2. **Firewall Blocking:** Block inbound traffic to ports **8530** and **8531** on the host firewall to prevent external interaction with WSUS.
## Detection
- **Indicators of Compromise:** Look for unusual process executions stemming from WSUS services following network interaction on ports 8530/8531.
- **Detection Methods and Tools:** Apply the security updates released by Microsoft. Monitor firewall logs for unexpected connections on WSUS ports against targeted servers.
## References
- Vendor Advisory: hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287