Full Report
Microsoft on Thursday released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with a proof-of-concept (Poc) exploit publicly available and has come under active exploitation in the wild. The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant
Analysis Summary
# Vulnerability: Critical WSUS Remote Code Execution Vulnerability (Actively Exploited)
## CVE Details
- CVE ID: CVE-2025-59287
- CVSS Score: 9.8 (Critical)
- CWE: Deserialization of Untrusted Data
## Affected Systems
- Products: Windows Server Update Service (WSUS) role enabled on various Windows Server versions.
- Versions: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022 (23H2 Edition - Server Core), and Windows Server 2025.
- Configurations: Only impacts servers with the WSUS server role enabled.
## Vulnerability Description
This is a critical Remote Code Execution (RCE) vulnerability present in the Windows Server Update Service (WSUS). The flaw stems from the unsafe deserialization of untrusted data, specifically occurring when the `GetCookie()` endpoint processes `AuthorizationCookie` objects. An unauthorized attacker can send specially crafted data that triggers unsafe deserialization via the `BinaryFormatter` mechanism without proper type validation, leading to code execution with **SYSTEM privileges**. This issue is related to the historical security risks associated with using `BinaryFormatter` with untrusted input, which Microsoft had previously advised developers to avoid.
## Exploitation
- Status: Exploited in the wild (Observed on October 24, 2025)
- Complexity: Assumed Low/Medium (Requires network access)
- Attack Vector: Network
## Impact
- Confidentiality: High (SYSTEM privileges can lead to full compromise)
- Integrity: High (SYSTEM privileges can lead to full compromise)
- Availability: High (SYSTEM privileges can lead to full compromise)
## Remediation
### Patches
Microsoft released an out-of-band security update to address this vulnerability.
- **Patch:** Update KB5070883 (Specific version depends on the OS build, see Microsoft Guidance).
- **Action Required:** A system reboot is advised after installing the patch for the update to fully take effect.
### Workarounds
If applying the out-of-band update is not immediately possible, the following mitigations should be implemented:
1. Disable the WSUS Server Role in the affected server (if enabled).
2. Block inbound traffic to TCP/UDP **Ports 8530 and 8531** on the host firewall.
*Note: Do not undo these workarounds until after the security update has been successfully installed.*
## Detection
- **Indicators of Compromise (IOCs):** Targeted exploitation involves sending a crafted payload, with observed activity including dropping a Base64-encoded payload using a request header value ('aaaa') executed via `cmd.exe`.
- **Detection Methods and Tools:** Monitor network traffic for anomalies targeting WSUS ports (8530/8531). Review system logs for unusual execution of `cmd.exe` initiated by WSUS processes, particularly those involving deserialization or cookie handling endpoints.
## References
- Vendor Advisory: microsoft com en us support microsoft com en us topic october-23-2025-kb5070883-os-build-17763-7922-out-of-band-860bc03c-52fb-407c-89b2-14ecf4893c5c (Specific OOB Update Guide)
- Security Report Example: hawktrace com blog CVE-2025-59287-UNAUTH
- NCSC Advisory Example: advisories ncsc nl 2025 ncsc-2025-0310 html