Critical Vulnerability CVE-2025-59287 in Windows Server Update Services

On October 23, 2025, Microsoft released an out-of-band security update for a critical vulnerability tracked as CVE-2025-59287. The flaw stems from the deserialization of untrusted data in Windows Server Update Services (WSUS), which allows remote, unauthenticated threat actors to achieve remote code execution by sending a crafted event. According to Microsoft, only Windows servers with the WSUS Server Role enabled are affected. This feature is not enabled by default.

While CVE-2025-59287 was originally patched in October’s Patch Tuesday update, Microsoft has indicated that the initial patch was not comprehensive, and this new update must be applied to fully mitigate the vulnerability. Threat actors have begun exploiting this vulnerability, which was added to CISA’s Known Exploited Vulnerabilities Catalog shortly after the new patch was released.

Additionally, technical details and a proof-of-concept exploit are now available for CVE-2025-59287. Arctic Wolf is currently observing a threat campaign targeting WSUS servers over ports 8530 and 8531. In each incident, a malicious PowerShell script was executed in a cmd process spawned by the IIS worker process, w3wp.exe or wsusservice.exe.

Arctic Wolf strongly recommends that customers upgrade to the latest fixed versions of Windows Server to properly mitigate CVE-2025-59287 as recommended by Microsoft. For users unable to immediately apply the update, Microsoft has provided mitigations, including disabling WSUS and blocking inbound traffic to ports 8530 and 8531.