Full Report
If at first you don’t succeed, patch and patch again More threat intel teams are sounding the alarm about a critical Windows Server Update Services (WSUS) remote code execution vulnerability, tracked as CVE-2025-59287 and now under active exploitation, just days after Microsoft pushed an emergency patch and the US Cybersecurity and Infrastructure Security Agency added the bug to its Known Exploited Vulnerabilities catalog.…
Analysis Summary
# Vulnerability: WSUS Remote Code Execution via Insecure Deserialization
## CVE Details
- CVE ID: CVE-2025-59287
- CVSS Score: (Score not explicitly provided in text, but described as "critical") (Severity: Critical)
- CWE: Insecure Deserialization of Untrusted Data
## Affected Systems
- Products: Windows Server Update Services (WSUS) running on Windows Server versions.
- Versions: Windows Server 2012 through Windows Server 2025.
- Configurations: Only affected if the Windows Server Update Services (WSUS) role is enabled and accessible (especially if exposed to the internet on default ports 8530/8531).
## Vulnerability Description
The vulnerability is a critical remote code execution (RCE) flaw stemming from the insecure deserialization of untrusted data within the Windows Server Update Services (WSUS) component. An unauthenticated external attacker can exploit this flaw to execute arbitrary code on vulnerable systems.
## Exploitation
- Status: Exploited in the wild (Actively exploited by UNC6512 and others).
- Complexity: Low (Described as having "low attack complexity").
- Attack Vector: Network (Attacks target publicly exposed WSUS instances).
## Impact
- Confidentiality: High (Observed data exfiltration during initial access).
- Integrity: High (RCE allows arbitrary code execution, potentially leading to malicious update pushes).
- Availability: High (RCE can lead to system compromise and disruption).
## Remediation
### Patches
- Microsoft released an initial patch during October Patch Tuesday, but it was insufficient.
- An **emergency patch** was subsequently pushed days later to address the remaining flaw. Affected users must ensure they have this latest emergency update installed.
### Workarounds
- Ensure that WSUS instances are **not publicly accessible** via the internet, as this is the primary vector being exploited.
- Monitor and restrict access to the default WSUS TCP ports (8530/HTTP and 8531/HTTPS).
## Detection
- **Indicators of Compromise (IOCs):**
- Execution of reconnaissance commands like `whoami`, `net user /domain`, and `ipconfig /all` on WSUS servers.
- Outbound network traffic attempting to exfiltrate data to remote Webhook.site endpoints (or similar) via PowerShell (`Invoke-WebRequest`) or `curl.exe`.
- **Detection Methods and Tools:**
- Threat intelligence teams observed significant exploitation activity ("about 100,000 hits for exploitation of this bug within the last seven days").
- Monitor for unexpected network activity originating from WSUS servers, particularly outbound connections to external data aggregation points.
## References
- Vendor Advisory (Initial/Updated guidance): hxxps://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
- Palo Alto Networks Unit 42 Analysis: hxxps://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/
- Proof-of-Concept Availability: hxxps://hawktrace.com/blog/CVE-2025-59287-UNAUTH