Full Report
Microsoft has released out-of-band (OOB) security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with publicly available proof-of-concept exploit code. [...]
Analysis Summary
# Vulnerability: Critical RCE in Windows Server Update Services (WSUS)
## CVE Details
- CVE ID: CVE-2025-59287
- CVSS Score: Critical (Score not explicitly stated, implied by critical severity)
- CWE: Unsafe Deserialization (Implied)
## Affected Systems
- Products: Windows Server (with WSUS Server Role enabled)
- Versions: Windows Server 2025, Windows Server version 23H2, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
- Configurations: Only systems with the WSUS Server Role enabled are vulnerable. Servers are vulnerable if the fix is not installed *before* the WSUS role is enabled.
## Vulnerability Description
This is a critical Remote Code Execution (RCE) vulnerability stemming from unsafe object deserialization in a legacy serialization mechanism used by the Windows Server Update Service (WSUS). A remote, unauthenticated attacker can send a crafted event to trigger this flaw, leading to the execution of malicious code with SYSTEM privileges on the server. This could potentially allow for wormable activity between WSUS servers.
## Exploitation
- Status: PoC available (Proof-of-Concept exploit code is publicly available online).
- Complexity: Low (Remote, unauthenticated, requires no user interaction).
- Attack Vector: Network
## Impact
- Confidentiality: High (Due to potential SYSTEM privilege escalation)
- Integrity: High (Due to potential SYSTEM privilege escalation)
- Availability: High (Due to potential system compromise/disruption)
## Remediation
### Patches
Out-of-Band (OOB) security updates were released to fix this flaw:
* Windows Server 2025 ([KB5070881](https://support.microsoft.com/help/5070881))
* Windows Server, version 23H2 ([KB5070879](https://support.microsoft.com/help/5070879))
* Windows Server 2022 ([KB5070884](https://support.microsoft.com/help/5070884))
* Windows Server 2019 ([KB5070883](https://support.microsoft.com/help/5070883))
* Windows Server 2016 ([KB5070882](https://support.microsoft.com/help/5070882))
* Windows Server 2012 R2 ([KB5070886](https://support.microsoft.com/help/5070886))
* Windows Server 2012 ([KB5070887](https://support.microsoft.com/help/5070887))
*(Note: These cumulative updates supersede previous October 2025 updates. A reboot is required after installation.)*
### Workarounds
1. **Disable the WSUS Server Role:** This removes the entire attack surface.
2. **Block Inbound Traffic:** Block all inbound traffic to TCP Ports 8530 and 8531 on the host firewall to render WSUS non-operational.
*(Warning: Disabling WSUS or blocking ports will prevent Windows endpoints from receiving updates from the local server.)*
## Detection
- Indicators of Compromise: Unspecified in the text, but exploitation would involve unusual network activity directed at WSUS ports (8530/8531) or unauthenticated requests attempting to trigger deserialization errors.
- Detection methods and tools: Monitoring network traffic for abnormal requests on WSUS ports on Windows Servers configured with the WSUS role.
## References
- Vendor Advisories: Microsoft Security Update Guide for CVE-2025-59287 ([hXXps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287))
- Relevant links: Article describing the fix and PoC availability ([hXXps://www.bleepingcomputer.com/news/security/microsoft-releases-windows-server-emergency-updates-for-critical-wsus-rce-flaw/](https://www.bleepingcomputer.com/news/security/microsoft-releases-windows-server-emergency-updates-for-critical-wsus-rce-flaw/))