Welcome to The researcher’s desk – a content series where the Detectify security research team conducts a technical autopsy on vulnerabilities that are particularly interesting, complex, or persistent. The goal here is not to report the latest research (for which you can refer to the Detectify release log); it is to take a closer look at certain vulnerabilities, regardless of their disclosure date, that still offer critical lessons.
For this issue, we analyze CVE-2025-59287, a critical remote code execution (RCE) flaw in Microsoft Windows Server Update Services (WSUS) that targets the core patch management infrastructure of the enterprise.
The Case File: WSUS Unauthenticated RCE
| Disclosure Date | October 14, 2025 (Initial Patch) |
| Vulnerability Type | Unsafe Deserialization of Untrusted Data (CWE-502) |
| Identifier | CVE-2025-59287 with CVSS 9.8 (Critical) |
| Vulnerable Component | WSUS Reporting/Web Services (e.g., GetCookie endpoint) |
| Final Impact | Unauthenticated Remote Code Execution (RCE) as SYSTEM |
| Observations | Actively exploited in the wild; targets core update infrastructure. |
What’s the root cause of CVE-2025-59287?
The access flaw, CVE-2025-59287, is due to unsafe deserialization of untrusted data in the WSUS reporting/web services.
This means the service accepts data sent by an external source and fails to validate its structure or content safely before processing it. This fundamental failure allows an attacker to inject arbitrary code instructions into the data stream that the service then executes.
What’s the mechanism behind CVE-2025-59287?
The mechanism enables a high-impact attack due to its low requirements and high privileges.
-
Unauthenticated Access: Attackers can send specially crafted events to unauthenticated endpoints of the WSUS service.
-
Arbitrary Code Execution: The unsafe deserialization flaw allows the attacker to execute arbitrary code remotely.
-
Privilege: This code executes with SYSTEM privileges on the target server, providing the highest level of control.
This flaw is interesting because it is actively exploited in the wild and targets core update management infrastructure in enterprises. It has been used to deploy infostealers and pre-ransomware payloads, which compromises sensitive data in regulated environments. The existence of public PoC exploits also accelerates the threat landscape.
Defensive takeaways
-
Patching: Apply vendor updates to mitigate this vulnerability.
-
The Detectify Approach: Detectify customers are running payload-based assessments to test for this vulnerability.
Questions? We’re happy to hear from you via support@detectify or book a demo to learn more about Detectify.