Critical RCE Vulnerability in Microsoft WSUS via Unsafe Cookie Deserialization
Microsoft has released emergency out-of-band security updates to address a critical remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS), tracked as CVE-2025-59287. The flaw, rated CVSS 9.8, allows unauthenticated attackers to exploit unsafe deserialization in the WSUS AuthorizationCookie mechanism, enabling arbitrary code execution with SYSTEM privileges. Proof-of-concept exploit code for this vulnerability is publicly available, increasing the urgency for organizations to patch affected systems immediately. The vulnerability affects only Windows servers with the WSUS Server Role enabled, and Microsoft has provided security updates for all supported Windows Server versions, along with workarounds for those unable to patch immediately.
Security researcher Batuhan Er from HawkTrace detailed that the vulnerability arises from the unsafe deserialization of AuthorizationCookie objects sent to the GetCookie() endpoint, where encrypted cookie data is decrypted and deserialized without proper type validation. This flaw exposes WSUS servers to remote, unauthenticated attacks that require no user interaction and could potentially be wormable between WSUS servers. Microsoft strongly advises administrators to install the provided patches or apply recommended mitigations to prevent exploitation of this critical vulnerability.
Timeline
Nov 4, 2025
Metasploit module for CVE-2025-59287 is added
A Metasploit Framework pull request published an exploit module for the unauthenticated WSUS deserialization flaw, further lowering the barrier to weaponization and testing.
Nov 3, 2025
Microsoft says WSUS emergency patch disabled hotpatching
Microsoft disclosed that the patch released for CVE-2025-59287 had the side effect of disabling Windows Server hotpatching, creating an operational issue for some customers after applying the fix.
Nov 3, 2025
Google attributes exploitation to UNC6512; at least 50 orgs impacted
On November 3, reporting said exploitation had affected at least 50 organizations, with Google's Threat Intelligence Group attributing related activity to a newly tracked threat cluster, UNC6512. Eye Security also said two additional threat actors had conducted intrusions against vulnerable WSUS instances.
Nov 2, 2025
Internet-wide scanning on WSUS ports 8530 and 8531 is observed
By early November, defenders reported notable scanning activity against TCP ports 8530 and 8531, likely tied to efforts to find vulnerable WSUS servers for CVE-2025-59287 exploitation.
Oct 30, 2025
Attackers linked to Skuld infostealer in WSUS exploitation
Reporting on October 30 indicated that some CVE-2025-59287 exploitation activity was being used to deploy the Skuld infostealer, showing post-exploitation monetization beyond reconnaissance.
Oct 28, 2025
Researchers report thousands of internet-exposed WSUS servers
Security researchers and government advisories warned that thousands of WSUS instances were reachable from the internet, raising concern that compromise of a WSUS server could enable broader internal supply-chain style attacks.
Oct 28, 2025
Google begins investigating WSUS exploitation activity
By late October, Google threat researchers were probing exploitation of CVE-2025-59287 as warnings mounted about attacks against exposed WSUS infrastructure.
Oct 27, 2025
CISA orders federal agencies to patch WSUS flaw
CISA issued a warning directing U.S. federal civilian agencies to remediate the exploited WSUS vulnerability, advising identification of exposed servers, application of Microsoft's update, and use of mitigations if patching could not be completed immediately.
Oct 24, 2025
CISA adds CVE-2025-59287 to the KEV catalog
CISA added CVE-2025-59287 to its Known Exploited Vulnerabilities catalog after reports of in-the-wild exploitation, elevating urgency for remediation across affected organizations.
Oct 24, 2025
Dutch NCSC confirms observed exploitation of CVE-2025-59287
The Netherlands' NCSC said it learned from a trusted partner that exploitation of the WSUS flaw had been observed on October 24, warning that public exploit availability increased the risk to exposed servers.
Oct 24, 2025
Eye Security observes scanning and customer compromise
On October 24, Eye Security reported scanning and exploitation attempts targeting CVE-2025-59287, including at least one customer compromise using an exploit different from the public proof of concept.
Oct 23, 2025
Attackers begin exploiting exposed WSUS servers
Security firms including Huntress reported attacks beginning on October 23 against internet-exposed WSUS instances, with attackers sending crafted requests, spawning cmd.exe and PowerShell, performing reconnaissance, and exfiltrating results to attacker-controlled infrastructure.
Oct 23, 2025
Microsoft releases out-of-band emergency WSUS patch
On October 23, Microsoft issued an emergency out-of-band update for CVE-2025-59287, a critical unauthenticated WSUS remote code execution bug affecting Windows Server systems with the WSUS role enabled. Microsoft also recommended rebooting after patching and suggested disabling WSUS or blocking ports 8530/8531 as temporary mitigations.
Oct 23, 2025
Public technical analysis and PoC for WSUS flaw emerge
Researchers published technical details and proof-of-concept exploit code for CVE-2025-59287, describing unsafe deserialization of WSUS AuthorizationCookie objects and making exploitation easier for attackers.
Oct 14, 2025
Microsoft ships initial Patch Tuesday fix for CVE-2025-59287
Microsoft initially addressed CVE-2025-59287 in its October 2025 Patch Tuesday updates, but later acknowledged that this first fix did not fully mitigate the WSUS remote code execution flaw.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
5 more from sources like sans isc, horizon3 blog, socprime blog, indusface blog and help net security
Related Stories
Microsoft WSUS Remote Code Execution Vulnerability Actively Exploited
Microsoft released an urgent out-of-band security update to address a critical remote code execution vulnerability in Windows Server Update Services (WSUS), identified as CVE-2025-59287. The flaw was reportedly under active exploitation in the wild, prompting Microsoft to issue a comprehensive fix outside of its regular update cycle. Security advisories and industry news highlighted the severity of the vulnerability and its inclusion in the U.S. CISA Known Exploited Vulnerabilities catalog, underscoring the immediate risk to organizations relying on WSUS for patch management. The vulnerability allowed attackers to potentially execute arbitrary code on affected WSUS servers, posing a significant threat to enterprise environments. Security experts urged organizations to apply the patch without delay to mitigate the risk of compromise. The rapid response from Microsoft and the attention from security agencies reflect the critical nature of the flaw and the ongoing threat landscape targeting core infrastructure components like WSUS.
1 months ago
Remote Code Execution Vulnerabilities in Microsoft Update Services Exploited
A critical remote code execution (RCE) vulnerability was discovered in Microsoft's Update Health Tools (KB4023057), a utility designed to facilitate rapid security updates via Intune. Researchers found that a misconfiguration involving abandoned Azure blob storage allowed attackers to register a storage account and receive requests from vulnerable devices worldwide, enabling arbitrary code execution. Microsoft has since responded to the disclosure, and newer versions of the tool have addressed the issue, but devices running the original version remain at risk if not updated. Separately, a remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287, was actively exploited by threat actors to deploy the ShadowPad backdoor malware. Attackers leveraged this flaw to gain system-level access using PowerCat and subsequently installed ShadowPad via `certutil` and `curl`. The exploitation of these vulnerabilities highlights the risks associated with update management tools and the importance of timely patching and secure configuration to prevent compromise by advanced persistent threats.
1 months ago
Active Exploitation of WSUS Vulnerability and Urgent Security Guidance for Microsoft Exchange and WSUS Servers
Cybersecurity authorities including CISA and NSA, in collaboration with international partners, have issued urgent guidance to secure on-premise Microsoft Exchange Server and Windows Server Update Services (WSUS) instances. The recommendations emphasize restricting administrative access, enforcing multi-factor authentication, maintaining strict security baselines, and decommissioning end-of-life servers to mitigate ongoing threats. Organizations are urged to apply security updates promptly, enable advanced security features, and adopt zero trust principles to defend against persistent malicious activity targeting these critical Microsoft services. Simultaneously, a newly disclosed vulnerability in WSUS, tracked as CVE-2025-59287, is being actively exploited by cybercriminals to deploy the Skuld Stealer malware. Despite Microsoft's initial and subsequent out-of-band patches, attackers have leveraged the flaw to gain remote control over WSUS servers, using legitimate tools like PowerShell and cURL for malicious purposes. The exploitation prompted CISA to add the vulnerability to its list of known exploited vulnerabilities, underscoring the urgency for organizations to implement the latest security updates and follow best practices to protect their infrastructure.
1 months ago