Network defenders have been encouraged to patch a new critical vulnerability in Windows Server Update Services (WSUS) which is being actively exploited.
Microsoft issued an out-of-band update to fix the bug last Thursday, the same day that Huntress observed threat actors targeting WSUS instances publicly exposed on default ports 8530 and 8531.
CVE-2025-59287 is described as a WSUS “deserialization of untrusted data vulnerability” which allows for remote code execution (RCE).
“The vulnerability allows an unauthenticated attacker to achieve remote code execution with system privileges by sending malicious encrypted cookies to the GetCookie() endpoint,” explained security vendor HawkTrace.
The bug reportedly requires no user interaction or privileges to exploit to this end.
Read more on emergency Microsoft patches: Microsoft Issues Out-of-Band Update to Fix Recovery Issues
The US Cybersecurity and Infrastructure Security Agency (CISA) added the CVE to its Known Exploited Vulnerabilities (KEV) catalog on Friday, warning that it poses “significant risks to the federal enterprise.” Agencies have until November 14 to patch.
Widespread Compromise Possible
Although not enabled by default, WSUS is a popular tool that enables IT administrators to centrally manage and distribute Microsoft product updates to networked computers.
Patrick Münch, CISO at Mondoo, said this makes the new vulnerability particularly dangerous.
“A compromised WSUS server could potentially be used to distribute malicious updates to the entire network of client computers, making the flaw particularly high stakes for large enterprises,” he explained.
“Added to that it enables unauthenticated remote code execution and is actively being exploited. This means that organizations should make it a critical priority to immediately mitigate and fix the vulnerability.”
Huntress advised prompt patching for Windows Server customers, but said that organizations could also remediate by isolating network access to WSUS.
“Ensure that only the management hosts and Microsoft Update servers that are explicitly required have access to your WSUS infrastructure,” it said.
“For all other connections, it is strongly recommended that inbound traffic be blocked to TCP ports 8530 and 8531.”
Image credit: Shaheerrr / Shutterstock.com
