Microsoft on Thursday released an out-of-band security update that patches a critical severity vulnerability in Windows Server Update Service (WSUS) using a publicly available proof-of-concept (POC) exploit. This exploit has been used in the wild.
The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8). This is a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of a Patch Tuesday update published last week.
Three security researchers, MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange of CODE WHITE GmbH, are credited with discovering and reporting this bug.
This shortcoming pertains to cases in which WSUS deserializes untrusted data, allowing an unauthorized attacker to execute code over the network. Note that this vulnerability does not affect Windows servers that do not have the WSUS server role enabled.
In a hypothetical attack scenario, a remote unauthenticated attacker could send a crafted event that triggers insecure object deserialization in a “traditional serialization mechanism”, leading to remote code execution.
According to Batuhan Er, a security researcher at HawkTrace, the issue is caused by “insecure deserialization of the AuthorizationCookie object sent to the GetCookie() endpoint. The encrypted cookie data is decrypted using AES-128-CBC and then deserialized by a BinaryFormatter without proper type validation, allowing remote code execution with SYSTEM privileges.”
It is worth noting that Microsoft itself previously recommended that developers stop using BinaryFormatter for deserialization due to the fact that it is unsafe to use BinaryFormatter with untrusted input. The BinaryFormatter implementation was then removed from .NET 9 in August 2024.
.NET executables deployed via CVE‑2025‑59287
“To comprehensively address CVE-2025-59287, Microsoft is updating supported versions of Windows Server: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022, 23H2 Edition (Server Core installation), and Windows Server We have released an out-of-band security update for 2025,” Redmond said. Update.
After installing the patch, we recommend restarting your system for the update to take effect. If out-of-band cannot be applied, users can take one of the following actions to protect against defects:
Disable the WSUS server role on the server (if enabled) Block incoming traffic to ports 8530 and 8531 on the host firewall
“Do not revert these workarounds until you have installed the updates,” Microsoft warns.
The development comes after the Dutch National Cyber Security Center (NCSC) announced that it had “learned from a trusted partner that an exploit of CVE-2025-59287 was observed on October 24, 2025.”
Eye Security, which notified NCSC-NL of the exploit in the wild, said it had observed the vulnerability being used to drop a Base64-encoded payload targeting anonymous customers. The payload, a .NET executable file, “takes the value ‘aaaa’ request header and executes it directly using cmd.exe.”
Given the availability of PoC exploits, it is important for users to patch as soon as possible to mitigate potential threats.
Source link
