Security researchers are warning that cyber threat actors are abusing a critical vulnerability in Microsoft Windows Server Update Service.
The vulnerability, tracked as CVE-2025-59287, involves deserialization of untrusted data and could allow intruders to execute code without authorization.
Researchers at Huntress said they have seen attackers exploiting the vulnerability in four different customers’ networks.
Senior security researcher John Hammond described the attack as a simple “point-and-shoot” technique, noting that the recent release of a proof of concept made the attack trivially accessible for any hacker to launch.
Microsoft issued out-of-band security updates on Thursday to address the vulnerability. “We rereleased this CVE after identifying that the initial update did not fully mitigate the issue,” a Microsoft spokesperson told Cybersecurity Dive.
Experts urged organizations to immediately apply the new patch.
“The currently trending WSUS vulnerability is a critical issue that should receive top priority for patching in any environment,” Jimi Sebree, senior security researcher at Horizon3.ai, told Cybersecurity Dive. “Its presence is due to how juicy of a target the service is.”
Hackers who compromise the service can move laterally inside a system and obtain significant additional access, Sebree said.
The Windows Server Update Service allows IT administrators to manage the deployment of Microsoft product updates across their computer systems.
The Cybersecurity and Infrastructure Security Agency on Friday added the vulnerability to its Known Exploited Vulnerabilities catalog.
In an advisory released late Friday, CISA urged users to identify servers that are vulnerable to exploitation and immediately apply the upgrades. These servers have WSUS Server Role enabled and ports open to 8530/8531, according to CISA.
Researchers at Arctic Wolf said they were tracking a threat campaign that might be related to the vulnerability, although they said they could not confirm a link
