A new serious flaw in Windows Server Update Services (WSUS) — tracked as CVE-2025-59287 — enables unauthenticated remote attackers to execute arbitrary code. Proof-of-concept (PoC) exploit code is already public
What is WSUS and why this matters?
WSUS is a Windows Server role that lets IT administrators centrally manage, approve, and deploy updates for Microsoft products across their networks. It handles update distribution, metadata, update approvals, patch schedules, and client update delivery. Picus Security+2CISA+2
Because WSUS is trusted in the network and often runs with high privileges, any flaw can become a major attack vector.
Details of the vulnerability
The issue lies in how WSUS handles AuthorizationCookie data. The service uses a legacy .NET serialization mechanism — specifically using the risky BinaryFormatter — to deserialize data without strict type validation. This means an attacker can craft a malicious payload inside that cookie, have it decrypted and deserialized by WSUS, and gain code execution on the server with system-level privileges. Picus Security+1
The request goes via a SOAP endpoint (e.g. /ClientWebService/Client.asmx) using the method GetCookie. The crafted cookie contains encrypted payload in CookieData, encrypted using AES-128-CBC with a hardcoded key and predictable initialization vector (IV). Once decrypted, the payload is deserialized and executed. Picus Security+1
Real-world exploitation
Security researchers observed that threat actors have begun exploiting this flaw as soon as the patch was released. Servers with WSUS enabled and ports 8530 (HTTP) or 8531 (HTTPS) open have been targeted. Huntress+2Cybersecurity Dive+2
Attackers have exploited this to spawn command shell processes (cmd.exe → powershell.exe) via the WSUS services (wsusservice.exe) or the web worker process (w3wp.exe). They then run commands like net user /domain or ipconfig /all to enumerate systems, and exfiltrate data to remote endpoints. Huntress+2Arctic Wolf+2
Patches and mitigations
- Microsoft issued an out-of-band update on October 23, 2025, specifically addressing this vulnerability because earlier patches did not offer full mitigation. Microsoft Support+2Arctic Wolf+2
- Administrators are strongly advised to install the latest updates for all affected Windows Server versions (2012 / 2012 R2, 2016, 2019, 2022, and 2025). Picus Security+2Microsoft Support+2
- If immediate patching is not possible, one mitigation is to block inbound traffic on ports 8530 and 8531 at the firewall, or disable the WSUS Server Role temporarily. Note that disabling WSUS means endpoints won’t receive updates via that server. Arctic Wolf+1
What you should do now
- Check if your WSUS server is exposed on those ports.
- Apply the out-of-band update immediately.
- Audit logs for unusual POST requests to WSUS endpoints, and watch for suspicious child processes spawned from WSUS services (
wsusservice.exeorw3wp.exe→cmd.exe/powershell.exe).Huntress+1 - Run incident detection to look for indicators of compromise (e.g. logs, unusual traffic, large payloads in cookie data).Huntress+1