Microsoft has rolled out an out-of-band emergency patch for a remote code execution (RCE) vulnerability affecting the Windows Server Update Services (WSUS).
Identified as CVE-2025-59287, the issue stems from the deserialization of untrusted data in a legacy serialization mechanism, allowing unauthorized attackers to execute arbitrary code over the network.
The patch, released on October 23, 2025, addresses the critical threat just days after the vulnerability’s initial disclosure on October 14.
The flaw, rated critical with a CVSS 3.1 base score of 9.8, requires no user privileges or interaction, making it highly exploitable via the network with low complexity.
Attackers could send crafted events to trigger unsafe deserialization, potentially leading to full system compromise and severe impacts on confidentiality, integrity, and availability.
Vulnerability Exposes WSUS Servers To Remote Attacks
While WSUS is not enabled by default on Windows servers, thus sparing unmodified systems, organizations running the server role for update management face immediate risk if unpatched.
Microsoft’s security team updated the CVE’s temporal score to 8.8 after confirming the availability of proof-of-concept (PoC) exploit code, elevating the exploitability assessment to “more likely.”
No active exploitation in the wild has been reported yet, but the public disclosure of PoC code underscores the urgency for administrators to act.
The vulnerability was responsibly reported by researchers from MEOW and CODE WHITE GmbH, including Markus Wulftange, who identified the deserialization weakness tied to CWE-502.
The October 23 update is available through Windows Update, Microsoft Update, and the Microsoft Update Catalog for standalone downloads.
It will also sync automatically with WSUS environments. However, installation requires a server reboot, which could disrupt operations in production settings.
For those unable to patch immediately, Microsoft recommends temporary workarounds: disable the WSUS server role entirely, halting client updates in the process, or block inbound traffic to ports 8530 and 8531 at the host firewall level to neutralize the service.
This release highlights ongoing challenges in legacy components like WSUS, which many enterprises still rely on for centralized patch management.
Security experts urge organizations to review their WSUS configurations and prioritize the update to prevent potential breaches.
An updated Windows Update offline scan file (Wsusscn2.cab) is now available to aid detection. As cybersecurity threats evolve, this incident serves as a reminder of the importance of timely patching in enterprise environments. Microsoft continues to monitor for any emerging exploits.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
