Security researchers at Huntress have discovered active exploitation of a remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS) that Microsoft issued an out-of-band patch for this month.
WSUS is used by enterprise administrators to manage and distribute updates across corporate networks.
Another security vendor, Hawktrace, published a technical analysis of the vulnerability that is indexed as CVE-2025-59287, saying an unsafe deserialisation bug allows unauthenticated attackers to remotely execute code, with elevated SYSTEM privileges.
Hawktrace published a proof-of-concept (PoC) for the vulnerability, and Huntress now said it has observed threat actors exploiting the flaw across four of its customers.
Microsoft rated the vulnerability as 9.8 out of 10, with critical severity.
So far, the exploitation activity that Huntress researchers observed involved spawning command prompts and PowerShell, with a Base64-encoded payload being executed to enumerate servers, to glean sensitive network and user information.
That information was exfiltrated to a remote webhook site, Huntress found.
As WSUS servers are not usually exposed to the internet, Huntress expects that in-the-wild exploitation of the vulnerability will be limited.
The security vendor saw approximately 25 hosts susceptible to the attack across its partner base.
It strongly recommends blocking inbound traffic to TCP ports 8530 and 8531 for all but management hosts and Microsoft Update servers that explicitly require access to users’ WSUS infrastructure.
CVE-2025-59287 exploits a .NET language serialisation class called BinaryFormatter, which Microsoft said cannot be made secure and which should not be used.
It was removed in .NET version 9, which was released in 2024.
Patches from Microsoft are available for Windows Server 2012 to 2025, with reboots required after updating.
