Article Details

Microsoft drops surprise Windows Server patch before weekend downtime. You didn't have plans, did you?. Microsoft has released an out-of-band update to patch a critical vulnerability in Windows Server Update Services (WSUS). The update addresses CVE-2025-59287">CVE-2025-59287, a remote code execution flaw affecting Windows Server versions 2012 through 2025. The vulnerability stems from insecure deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code. A proof-of-concept exploit is publicly available. The vulnerability has been assigned a maximum severity level of "critical". Only servers with the WSUS role enabled are affected. Microsoft recommends admins unable to immediately patch should disable the role on affected servers - although this will obviously prevent client updates from the server. Or they can choose to block inbound traffic to ports 8530 and 8531 on the host firewall to stop WSUS working. The update is cumulative and includes October's patches if not yet installed. A reboot is required. Windows is chock-full of legacy code waiting to be abused by attackers, however, anything that could result in remote code execution requires swift resolution or mitigation. This particular issue relates to a "legacy serialization mechanism," according to Microsoft. WSUS is on the deprecated list for Windows Server, which means it is no longer being actively developed but remains a supported part of the operating system. Microsoft recently confirmed it would continue supporting driver update synchronization to WSUS following user outcry over plans to end support in April 2025. However Microsoft's message to administrators is clear: switch to an alternative like its cloud-based Intune service. Ultimately, an out-of-band update is serious business, particularly for a deprecated Windows component. While no removal date has been announced, this critical vulnerability raises questions about WSUS's long-term viability.