CVE-2025-59287

Name of the Vulnerable Software and Affected Versions Windows Server Update Services (WSUS) versions prior to the October 2025 security updates.

Description A critical remote code execution (RCE) vulnerability exists in Windows Server Update Services (WSUS), identified as CVE-2025-59287. This flaw stems from unsafe deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code with SYSTEM privileges. Active exploitation of this vulnerability has been observed in the wild, with threat actors deploying malware such as ShadowPad. Attackers are utilizing various tools, including PowerCat, curl, and certutil, to gain shell access and install malicious payloads. The vulnerability affects systems running WSUS and has been actively exploited since October 2025. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, urging immediate patching.

Recommendations Apply the latest security updates released by Microsoft for Windows Server Update Services (WSUS). If patching is not immediately possible, consider disabling the WSUS role or blocking inbound traffic on ports 8530 and 8531. Monitor WSUS server logs for suspicious activity and implement detection rules to identify potential exploitation attempts.