Microsoft on Thursday released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with a proof-of-concept (Poc) exploit publicly available and has come under active exploitation in the wild.
The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of its Patch Tuesday update published last week.
Three security researchers, MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH, have been acknowledged for discovering and reporting the bug.
The shortcoming concerns a case of deserialization of untrusted data in WSUS that allows an unauthorized attacker to execute code over a network. It’s worth noting that the vulnerability does not impact Windows servers that do not have the WSUS server role enabled.
In a hypothetical attack scenario, a remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a “legacy serialization mechanism,” leading to remote code execution.
According to HawkTrace security researcher Batuhan Er, the issue “arises from the unsafe deserialization of AuthorizationCookie objects sent to the GetCookie() endpoint, where encrypted cookie data is decrypted using AES-128-CBC and subsequently deserialized through BinaryFormatter without proper type validation, enabling remote code execution with SYSTEM privileges.”
It’s worth noting that Microsoft itself previously recommended developers to stop using BinaryFormatter for deserialization, owing to the fact that the method is not safe when used with untrusted input. An implementation of BinaryFormatter was subsequently removed from .NET 9 in August 2024.
.NET executable deployed via CVE‑2025‑59287
“To comprehensively address CVE-2025-59287, Microsoft has released an out of band security update for the following supported versions of Windows Server: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022, 23H2 Edition (Server Core installation), and Windows Server 2025,” Redmond said in an update.
Once the patch is installed, it’s advised to perform a system reboot for the update to take effect. If applying the out-of-band is not an option, users can take any of the following actions to protect against the flaw –
- Disable WSUS Server Role in the server (if enabled)
- Block inbound traffic to Ports 8530 and 8531 on the host firewall
“Do NOT undo either of these workarounds until after you have installed the update,” Microsoft warns.
The development comes as the Dutch National Cyber Security Centre (NCSC) said it learned from a “trusted partner that abuse of CVE-2025-59287 was observed on October 24, 2025.”
Eye Security, which notified NCSC-NL of the in-the-wild exploitation, said it observed the vulnerability being used to drop a Base64-encoded payload targeting an unnamed customer. The payload, a .NET executable, “takes the value ‘aaaa’ request header and runs it directly using cmd.exe.”
Given the availability of a PoC exploit, it’s essential that users apply the patch as soon as possible to mitigate potential threats.
