Microsoft has released an urgent out-of-band security update to address a severe remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS). The flaw, tracked as CVE-2025-59287, poses a direct risk to organizations that utilize WSUS to manage Windows updates across their IT infrastructure.
Overview of the CVE-2025-59287 Vulnerability
The vulnerability, identified as a case of CWE-502: Deserialization of Untrusted Data, occurs when WSUS improperly deserializes untrusted objects. A remote, unauthenticated attacker could exploit this flaw by sending a specially crafted request to the WSUS service.
Because WSUS commonly runs under the SYSTEM account, successful exploitation would allow the attacker to execute arbitrary code with the highest privileges, effectively gaining full control of the targeted system.
Microsoft has rated the flaw as Critical with a CVSS 3.1 base score of 9.8. The attack vector is network-based, requires no authentication or user interaction, and has low complexity. The vulnerability’s scope, confidentiality, integrity, and availability impacts are all classified as high. Microsoft has also assessed exploitation as “More Likely,” increasing the urgency for administrators to patch affected systems immediately.
Affected Versions
The RCE vulnerability affects several supported editions of Windows Server, including:
- Windows Server 2012 and 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022 (including the 23H2 Server Core edition)
- Windows Server 2025
By default, the WSUS server role is not enabled on Windows Server installations. However, once enabled, unpatched servers become vulnerable to exploitation. Microsoft emphasizes that servers without the WSUS role activated are not affected by CVE-2025-59287.
Timeline of Discovery and Patching
The vulnerability was first disclosed on October 14, 2025, with Microsoft formally registering it under the identifier CVE-2025-59287. Following the discovery, Microsoft released an out-of-band update on October 23, 2025, after confirming the existence of publicly available proof-of-concept (PoC) exploit code. This prompted an update to the CVSS temporal score to reflect the increased maturity of the exploit.
The update is available through multiple channels, including Windows Update, Microsoft Update, and Microsoft Update Catalog. Systems configured to automatically receive updates will download and install the patch without manual intervention. A system reboot is required after applying the update.
Mitigation and Workarounds
For organizations unable to immediately install the October 23, 2025, patch, Microsoft has provided several temporary mitigations:
- Disable the WSUS Server Role: Doing so prevents exploitation but also halts update delivery to clients.
- Block Inbound Traffic: Administrators can block ports 8530 and 8531 on the host firewall to render WSUS non-operational and mitigate the risk of attack.
Microsoft warns that these workarounds should remain in place until the official patch is successfully applied. Reverting them before updating could leave systems exposed to potential exploitation.
Exploitability and Risk
At the time of release, Microsoft reported no evidence of active exploitation or public disclosure beyond the proof-of-concept code. However, a successful compromise of a WSUS server could allow attackers to distribute malicious updates throughout an organization’s network, manipulate system configurations, or pivot deeper into internal environments.
CVE-2025-59287 was reported by Markus Wulftange of CODE WHITE GmbH, with Microsoft acknowledging his contribution to identifying and responsibly disclosing the issue.
The ability for an unauthenticated attacker to achieve RCE over a network, without user interaction, elevates this vulnerability to a critical priority. Organizations relying on WSUS should verify that the October 23, 2025, update has been applied across all affected systems. Until fully patched, any unprotected WSUS installation remains at risk of compromise.
