Microsoft has released an out-of-band (emergency, non–Patch Tuesday) security update to address a critical remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS).
This flaw, identified as CVE-2025-59287, poses a direct risk to organizations that use WSUS to manage Windows updates across their IT infrastructure.
Overview of CVE-2025-59287
The vulnerability is classified as CWE-502: Deserialization of Untrusted Data.
It occurs when WSUS improperly deserializes maliciously crafted objects.
A remote, unauthenticated attacker can exploit this flaw by sending specially crafted requests to the WSUS service.
Since WSUS typically runs with SYSTEM-level privileges, successful exploitation would allow an attacker to execute arbitrary code with the highest level of permissions, effectively taking full control of the affected system.
Microsoft has rated this vulnerability as Critical, with a CVSS v3.1 base score of 9.8.
The attack vector is network-based, requires no authentication or user interaction, and has low complexity.
Confidentiality, integrity, and availability impacts are all rated High.
Microsoft further warns that exploitation is “More Likely”, urging administrators to apply the patch immediately.
Affected Versions
This RCE vulnerability affects the following supported editions of Windows Server:
・Windows Server 2012 / 2012 R2
・Windows Server 2016
・Windows Server 2019
・Windows Server 2022 (including 23H2 Server Core edition)
・Windows Server 2025
By default, the WSUS server role is not enabled upon Windows Server installation.
However, once it is activated, any unpatched system becomes a potential attack target.
Microsoft emphasizes that servers without the WSUS role enabled are not affected by CVE-2025-59287.
Discovery and Patch Timeline
The vulnerability was first reported on October 14, 2025, and registered by Microsoft as CVE-2025-59287 on the same day.
After confirming the release of proof-of-concept (PoC) exploit code, Microsoft issued an out-of-band update on October 23, 2025.
Following this, the CVSS temporal score was updated to reflect the increased maturity of the exploit code.
The security update is available through multiple channels:
・Windows Update
・Microsoft Update
・Microsoft Update Catalog
Systems with automatic updates enabled will download and install the patch without manual intervention.
A system restart is required after installation.
Mitigations and Workarounds
For organizations unable to immediately apply the October 23 update, Microsoft has provided temporary mitigation measures:
・Disable the WSUS server role
→ Prevents exploitation but halts update distribution to clients.
・Block inbound traffic
→ Use host-based firewalls to block ports 8530 and 8531, effectively disabling WSUS and reducing exposure.
These mitigations should remain in place until the official patch is fully applied.
Disabling them prematurely may re-expose systems to attack.
Exploitation Risk
As of publication, Microsoft has found no evidence of active exploitation beyond the released proof-of-concept code.
However, if a WSUS server is compromised, attackers could distribute malicious updates across the organization, manipulate system configurations, or expand their foothold within the internal network.
The vulnerability was reported by Markus Wulftange of CODE WHITE GmbH, and Microsoft has credited him for his responsible disclosure.
Given that the flaw allows unauthenticated, remote code execution over the network without user interaction, it is considered a critical, high-priority issue.
Organizations using WSUS are strongly advised to verify that the October 23, 2025 security update has been applied to all affected systems.