Microsoft on Thursday released an out-of-band security update that patches a critical severity vulnerability in Windows Server Update Service (WSUS) using a publicly available proof-of-concept (POC) exploit. This exploit is being used in the wild.
The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), the WSUS remote code execution flaw was originally fixed by the tech giant as part of the Patch Tuesday update published last week.
Three security researchers, MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange of CODE WHITE GmbH, are credited with discovering and reporting this bug.
This shortcoming pertains to cases in which WSUS deserializes untrusted data, allowing an unauthorized attacker to execute code over the network. Note that this vulnerability does not affect Windows servers that do not have the WSUS server role enabled.
In a hypothetical attack scenario, a remote unauthenticated attacker could send a crafted event that triggers insecure object deserialization in a “traditional serialization mechanism”, leading to remote code execution.
According to Batuhan Er, a security researcher at HawkTrace, the issue is caused by “insecure deserialization of the AuthorizationCookie object sent to the GetCookie() endpoint. The encrypted cookie data is decrypted using AES-128-CBC and then deserialized by a BinaryFormatter without proper type validation, allowing remote code execution with SYSTEM privileges.”
It is worth noting that Microsoft itself previously recommended that developers stop using BinaryFormatter for deserialization due to the fact that it is unsafe to use BinaryFormatter with untrusted input. The BinaryFormatter implementation was then removed from .NET 9 in August 2024.
 |
| .NET executables deployed via CVE‑2025‑59287 |
“To comprehensively address CVE-2025-59287, Microsoft is updating supported versions of Windows Server: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022, 23H2 Edition (Server Core installation), and Windows Server We have released an out-of-band security update for 2025,” Redmond said. Update.
After installing the patch, we recommend restarting your system for the update to take effect. If out-of-band cannot be applied, users can take one of the following actions to protect against defects:
- Disable the WSUS server role for the server (if enabled)
- Block incoming traffic to ports 8530 and 8531 on the host firewall.
“Do not revert these workarounds until you have installed the updates,” Microsoft warns.
The development comes after the Dutch National Cyber Security Center (NCSC) announced that it had “learned from a trusted partner that an exploit of CVE-2025-59287 was observed on October 24, 2025.”
Eye Security, which notified NCSC-NL of the actual exploit, said it first observed the vulnerability being exploited at 6:55 a.m. UTC, dropping a Base64-encoded payload targeting anonymous customers. The payload, a .NET executable file, “takes the value ‘aaaa’ request header and executes it directly using cmd.exe.”
“This is a payload that is sent to a server and uses a request header named ‘aaaa’ as the source of the command to be executed,” Eye Security CTO Piet Kerkhofs told The Hacker News. “This prevents the command from appearing directly in the log.”
When asked if the exploit could have occurred earlier than today, Kerkhofs noted, “The HawkTrace PoC was released two days ago and can use a standard ysoserial .NET payload, so the elements of exploitation were present.”
Cybersecurity firm Huntress also said that it detected a threat actor targeting WSUS instances exposed on default ports (8530/TCP and 8531/TCP) starting at approximately 23:34 UTC on October 23, 2025. However, the company notes that WSUS does not often expose ports 8530 and 8531, so exploitation of CVE-2025-59287 is likely to be limited.
“The attacker leveraged the exposed WSUS endpoint to send a specially crafted request (multiple POST calls to the WSUS web service) that triggered a deserialization RCE to the update service.”
The exploit activity causes the WSUS worker process to spawn a “cmd.exe” and PowerShell instance, leading to the download and execution of a Base64-encoded PowerShell payload whose purpose is to enumerate exposed servers for network and user information and exfiltrate the results to an attacker-controlled Webhook(.) site URL.
“We re-released this CVE after confirming that the initial update did not fully mitigate the issue. Customers who installed the latest update are already protected,” a Microsoft spokesperson told the publication when asked for comment.
The company also emphasized that this issue does not affect servers that do not have the WSUS server role enabled, and encouraged affected customers to follow the guidance on the CVE page.
Given that PoC exploits are available and exploits have been detected, it is important for users to patch as soon as possible to mitigate the threat. The US Cybersecurity and Infrastructure Security Agency (CISA) has also added the flaw to its Known Exploited Vulnerabilities (KEV) catalog and requires federal agencies to fix it by November 14, 2025.
(Article updated after publication with additional insights from Eye Security, Huntress, and response from Microsoft.)
