CVE-2025-59287

Name of the Vulnerable Software and Affected Versions Microsoft Windows Server Update Services (WSUS) versions prior to the October 2025 security updates.

Description A critical remote code execution (RCE) vulnerability exists in Windows Server Update Services (WSUS) due to unsafe deserialization of untrusted data. This allows unauthenticated attackers to execute arbitrary code with system privileges. The vulnerability, identified as CVE-2025-59287, has been actively exploited in the wild, with attackers using tools like PowerCat and certutil to deploy malware such as ShadowPad and Skuld Stealer. Exploitation involves sending crafted requests to the WSUS service, potentially leading to full system compromise and data theft. Multiple security researchers and CISA have confirmed active exploitation and have issued alerts. Attackers have been observed using various techniques, including DLL sideloading and PowerShell scripts, to maintain persistence and evade detection.

Recommendations Apply the latest security updates released by Microsoft for WSUS. If patching is not immediately possible, restrict access to the WSUS server and block inbound traffic on ports 8530 and 8531. Monitor WSUS server logs for suspicious activity and indicators of compromise.