CVE-2025-59287

Name of the Vulnerable Software and Affected Versions Microsoft Windows Server Update Service (WSUS) versions prior to the October 2025 Patch Tuesday release, and versions prior to the subsequent out-of-band update released on October 23, 2025.

Description The Windows Server Update Service (WSUS) contains a critical remote code execution (RCE) vulnerability (CVE-2025-59287) due to insecure deserialization of untrusted data. This flaw allows an unauthenticated attacker to execute arbitrary code with SYSTEM privileges on affected servers. The vulnerability stems from a flaw in the deserialization process within the WSUS service, specifically related to the handling of

AuthorizationCookie

objects. Exploitation involves sending specially crafted requests to the WSUS server, potentially leading to full system compromise. Active exploitation of this vulnerability has been observed in the wild, with attackers leveraging it for reconnaissance, data harvesting, and potential deployment of malware such as Skuld Stealer. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, urging immediate patching. Several security researchers have confirmed active exploitation attempts and have released proof-of-concept (PoC) exploits.

Recommendations Apply the latest security update released by Microsoft to address CVE-2025-59287. If unable to patch immediately, consider disabling the WSUS Server Role or restricting access to ports 8530 and 8531. Monitor WSUS server logs for suspicious activity.