Microsoft released out-of-band patches on Thursday to “comprehensively” fix a critical vulnerability in the Windows Server Update Service (WSUS) after the first patches released on Oct. 14 proved insufficient. Attackers exploited the vulnerability in the wild after a detailed vulnerability analysis and proof-of-concept exploit were published this week.
Tracked as CVE-2025-59287, the vulnerability stems from an unsafe deserialization of the AuthorizationCookie object in WSUS environments. Successful exploitation enables remote code execution with SYSTEM privileges.
WSUS is commonly used in enterprise environments to deliver Microsoft updates to Windows systems in a controlled manner. The service is not enabled by default on Windows servers but can be turned on by enabling the WSUS Server Role.
Microsoft included a patch for CVE-2025-59287 in its October Patch Tuesday release on Oct. 14. But the initial fix was apparently not complete and required a new round of updates for Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022 (23H2 Edition, Server Core installation), and Windows Server 2025.
According to the company’s updated advisory, organizations should deploy these updates as soon as possible. Work-arounds include disabling the WSUS Server Role or blocking inbound traffic to ports 8530 and 8531, but both these actions will render the service non-operational until the patches can be deployed.
Attacks observed in the wild
Microsoft’s advisory doesn’t mention in-the-wild exploitation, but researchers from cybersecurity firm Huntress and the Dutch government’s National Cybersecurity Center separately reported evidence of attacks. This came after a detailed analysis and proof-of-concept exploit for the flaw was posted by researchers from cybersecurity firm HawkTrace on Wednesday.
“Starting around 2025-10-23 23:34 UTC, Huntress observed threat actors targeting WSUS instances publicly exposed on their default ports (8530/TCP and 8531/TCP),” the company wrote in a blog post Friday. “Attackers leveraged exposed WSUS endpoints to send specially crafted requests (multiple POST calls to WSUS web services) that triggered a deserialization RCE against the update service.”
The exploit activity resulted in the WSUS worker process spawning command prompt and PowerShell instances. A base64-encoded payload was downloaded and executed in PowerShell with the goal of discovering servers on the network and gathering user information which was then sent back to a remote attacker-controlled URL.
The Huntress report includes detailed indicators of compromise, forensic artifacts, and detection rules in the open Sigma SIEM detection format.
No Responses