Remote Code Execution Vulnerability in Windows Server Update Service by Microsoft
CVE-2025-59287

9.8CRITICAL

Key Information:

Vendor: Microsoft
Status: Windows Server 2019; Windows Server 2019 (server Core Installation); Windows Server 2022; Windows Server 2025 (server Core Installation)
Vendor: CVE Published:; 14 October 2025

What is CVE-2025-59287?

The vulnerability in Windows Server Update Service arises from the deserialization of untrusted data, which could allow an unauthorized attacker to execute arbitrary code over a network. This flaw demonstrates the importance of secure coding practices to prevent untrusted input from being processed in ways that could compromise system integrity.

Affected Version(s)

Windows Server 2012 (Server Core installation) x64-based Systems 6.2.9200.0 < 6.2.9200.25722

Windows Server 2012 R2 (Server Core installation) x64-based Systems 6.3.9600.0 < 6.3.9600.22824

Windows Server 2012 R2 x64-based Systems 6.3.9600.0 < 6.3.9600.22824

References

https://msrc.microsoft.com/update-guide/vulnerability/CVE...

vendor-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 14, 2025
Vulnerability Reserved
Sep 11, 2025

JSON