The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has warned organizations worldwide about active exploitation of a critical remote code execution (RCE) vulnerability in Microsoft’s Windows Server Update Services (WSUS).
Tracked as CVE-2025-59287, the flaw carries a CVSS score of 9.8, allowing unauthenticated attackers to execute arbitrary code with system-level privileges over a network, potentially compromising entire IT infrastructures.
This vulnerability, which stems from unsafe deserialization of untrusted data in WSUS, was partially addressed in Microsoft’s October Patch Tuesday but required an urgent out-of-band update released on October 23, 2025, after the initial fix proved insufficient.
The threat is escalating rapidly, with security firms reporting real-world attacks as early as October 24, 2025. Dutch cybersecurity company Eye Security detected exploitation attempts at 06:55 a.m. UTC that day, involving a Base64-encoded .NET payload designed to evade logging by executing commands via a custom request header named ‘aaaa’.
Proof-of-concept (PoC) exploits, released just days prior by researcher Batuhan Er of HawkTrace, have accelerated malicious activity, enabling attackers to target WSUS servers running under the SYSTEM account.
CISA’s addition of CVE-2025-59287 to its Known Exploited Vulnerabilities (KEV) Catalog mandates federal agencies to patch by November 14, 2025, underscoring the flaw’s high exploitability and low complexity; no user interaction or authentication is needed.
Organizations relying on WSUS for centralized patch management face severe dangers, as a successful breach could let hackers distribute poisoned updates across connected devices.
The following are the affected systems:
| Affected Version | Patch KB Number | Notes |
|---|---|---|
| Windows Server 2012 | KB5070887 | Standard and Server Core |
| Windows Server 2012 R2 | KB5070886 | Standard and Server Core |
| Windows Server 2016 | KB5070882 | Standard and Server Core |
| Windows Server 2019 | KB5070883 | Standard and Server Core |
| Windows Server 2022 | KB5070884 | Standard and Server Core |
| Windows Server 2022, 23H2 Edition | KB5070879 | Server Core installation |
| Windows Server 2025 | KB5070881 | Standard and Server Core |
The vulnerability exploits a legacy serialization mechanism in the GetCookie() endpoint, where encrypted AuthorizationCookie objects are decrypted using AES-128-CBC and deserialized via BinaryFormatter without type validation, opening the door to full system takeover.
Security researchers from CODE WHITE GmbH, including Markus Wulftange, and independent experts MEOW and f7d8c52bec79e42795cf15888b85cbad, first identified the issue, crediting their work in Microsoft’s advisory.
Microsoft has confirmed that servers without the WSUS Server Role enabled remain unaffected, but for those with it active, especially those exposing ports 8530 or 8531 to the internet, the risks are acute.
Early indicators suggest attackers are leveraging the PoC to drop malware, with potential for widespread lateral movement in enterprise environments.
Mitigations
CISA and Microsoft recommend swift action to neutralize the threat. First, identify vulnerable servers by scanning for those with the WSUS role enabled and open ports 8530/8531.
Apply the October 23 out-of-band patch immediately, then reboot to ensure full mitigation. Delaying this could expose networks to unauthenticated RCE.
For those unable to patch right away, temporary workarounds include disabling the WSUS role or blocking inbound traffic to the affected ports at the host firewall; these should not be reversed until the update is installed.
Beyond WSUS servers, organizations must update all remaining Windows Servers and reboot them post-installation. Monitoring tools should be deployed to detect anomalous WSUS traffic, such as unusual GetCookie() requests or Base64 payloads.
Experts warn that unpatched systems could serve as entry points for advanced persistent threats, amplifying damage in hybrid cloud setups.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
