Remote Code Execution Vulnerability in Windows Server Update Service by Microsoft
CVE-2025-59287

9.8CRITICAL

Key Information:

Vendor

Microsoft
Status
Windows Server 2019
Windows Server 2019 (server Core Installation)
Windows Server 2022
Windows Server 2025 (server Core Installation)
Vendor
CVE Published:
14 October 2025

Badges

🔥 Trending now🥇 Trended No. 1📈 Trended📈 Score: 39,200💰 Ransomware👾 Exploit Exists🟡 Public PoC🦅 CISA Reported📰 News Worthy

What is CVE-2025-59287?

CVE-2025-59287 is a critical remote code execution vulnerability found in the Windows Server Update Service (WSUS) developed by Microsoft. WSUS is a vital component for managing the distribution of updates that are released through Microsoft Update to computers in a corporate environment. This vulnerability arises from the deserialization of untrusted data, which allows unauthorized attackers to execute arbitrary code remotely over a network. Exploiting this flaw could lead to a complete compromise of affected systems, severely undermining an organization’s security posture and operational integrity.

This vulnerability's technical underpinnings highlight a systemic weakness that can be leveraged by malicious actors, especially in environments where WSUS is a central component of IT infrastructure management. Organizations using WSUS for patch management are uniquely at risk, as successful exploitation can enable attackers to manipulate the update process, potentially installing malicious updates or taking control of target systems.

Potential impact of CVE-2025-59287

  1. Unauthorized System Access: The ability for an attacker to execute code remotely means they can gain unauthorized access to sensitive systems and data. This could lead to further exploitation within the network, allowing for lateral movement to other critical assets.

  2. Data Breaches and Loss: Once an attacker has control, they can exfiltrate confidential information, leading to severe data breaches. This impact can be detrimental to an organization’s reputation, customer trust, and financial status.

  3. Disruption of Operations: The exploitation of this vulnerability could result in significant disruption, where attackers may execute attacks designed to disable or impair services. Such disruptions can lead to operational paralysis, affecting productivity and potentially leading to financial losses due to downtime.

CISA has reported CVE-2025-59287

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-59287 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Affected Version(s)

Windows Server 2012 (Server Core installation) x64-based Systems 6.2.9200.0 < 6.2.9200.25728

Windows Server 2012 R2 (Server Core installation) x64-based Systems 6.3.9600.0 < 6.3.9600.22826

Windows Server 2012 R2 x64-based Systems 6.3.9600.0 < 6.3.9600.22826

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2025-59287
Created by jiansiting

Find-WSUS
Created by mubix

CVE-2025-59287-WSUS
Created by tecxx

News Articles

favicon imageBleepingComputer

Microsoft: Patch for WSUS flaw disabled Windows Server hotpatching

An out-of-band (OOB) security update that patches an actively exploited Windows Server Update Service (WSUS) vulnerability has broken hotpatching on some Windows Server 2025 devices.

14 hours ago

favicon imageCyber Press

Hackers Actively Scanning TCP Ports 8530/8531 for WSUS Vulnerability CVE-2025-59287

These scans represent a shift from research-related activities to what appears to be malicious reconnaissance efforts by threat actors searching for vulnerable systems.

14 hours ago

favicon imageGBHackers News

Hackers Actively Scanning TCP Ports 8530/8531 for WSUS CVE-2025-59287

Security researchers have detected a spike in suspicious network traffic targeting Windows Server Update Services (WSUS) infrastructure worldwide.

15 hours ago

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...
vendor-advisory

EPSS Score

9% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🥇

    Vulnerability reached the number 1 worldwide trending spot

  • 🦅

    CISA Reported

  • 📈

    Vulnerability started trending

  • 🟡

    Public PoC available

  • 💰

    Used in Ransomware

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by Dark Reading

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-59287 : Remote Code Execution Vulnerability in Windows Server Update Service by Microsoft