Article Details

Windows Server emergency patches fix WSUS bug with PoC exploit. Microsoft has released out-of-band (OOB) security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with publicly available proof-of-concept exploit code. WSUS is a Microsoft product that enables IT administrators to manage and deliver Windows updates to computers within their network. Tracked as CVE-2025-59287 and patched during this month's Patch Tuesday, this remote code execution (RCE) security flaw affects only Windows servers with the WSUS Server Role enabled, a feature that isn't enabled by default. The vulnerability can be exploited remotely in low-complexity attacks that do not require user interaction, allowing threat actors without privileges to target vulnerable systems and run malicious code with SYSTEM privileges. This makes it potentially wormable between WSUS servers. "Windows servers that do not have the WSUS server role enabled are not vulnerable to this vulnerability. If the WSUS server role is enabled, the server will become vulnerable if the fix is not installed before the WSUS server role is enabled," Microsoft explained. "A remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism, resulting in remote code execution." Microsoft has released security updates for all impacted Windows Server versions and advised customers to install them as soon as possible: As Microsoft revealed in a Thursday update to the original security advisory, a proof-of-concept exploit for CVE-2025-59287 is now also available online, making it even more critical to patch vulnerable servers immediately. Microsoft also shared workarounds for admins who can't immediately install these emergency patches, including disabling the WSUS Server Role to remove the attack vector or blocking all inbound traffic to Ports 8530 and 8531 on the host firewall to render WSUS non-operational. However, it's important to note that Windows endpoints will stop receiving updates from the local server after WSUS is disabled or the traffic is blocked. "This is a cumulative update, so you do not need to apply any previous updates before installing this update, as it supersedes all previous updates for affected versions," Microsoft added. "If you haven't installed the October 2025 Windows security update yet, we recommend you apply this OOB update instead. After you install the update you will need to reboot your system." Picus Blue Report 2025 is Here: 2X increase in password cracking 46% of environments had passwords cracked, nearly doubling from 25% last year. Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.