- October 24, 2025
Critical Microsoft WSUS Vulnerability Being Exploited In-The-Wild (CVE-2025-59287)
On October 23rd, Microsoft issued an out-of-band security update to address a previously reported vulnerability identified as CVE-2025-59287. This vulnerability affects the Windows Server Update Service (WSUS) component and may allow unauthorized attackers to execute remote code on WSUS servers. If exploited, threat actors could use this vulnerability to distribute malicious software to Windows systems that are configured to receive updates from the compromised WSUS server. The out-of-band update was likely in response to proof-of-concept (PoC) exploit code published by cyber security company HawkTrace, followed by reports of exploit attempts from threat actor groups in-the-wild observed by cyber security company Huntress.
Executive Summary
On October 23rd, Microsoft issued an out-of-band security update to address a previously reported vulnerability identified as CVE-2025-59287. This vulnerability affects the Windows Server Update Service (WSUS) component and may allow unauthorized attackers to execute remote code on WSUS servers. If exploited, threat actors could use this vulnerability to distribute malicious software to Windows systems that are configured to receive updates from the compromised WSUS server. The out-of-band update was likely in response to proof-of-concept (PoC) exploit code published by cyber security company HawkTrace, followed by reports of exploit attempts from threat actor groups in-the-wild observed by cyber security company Huntress.
The WSUS is a component of Windows Server that allows IT administrators to centralize Microsoft product updates across an organization. WSUS is an older component, and Microsoft has indicated intent to deprecate the service in favor of a newer system called SCCM. It is important to note that SCCM leverages WSUS “under the hood” to enable Windows update distribution. While it is not standard or default to deploy WSUS servers directly connected to the internet, there are use cases that may necessitate that, and Beazley Security has identified several thousand internet exposed WSUS instances leveraging our telemetry.
Affected organizations should work to apply the software updates documented in the “affected systems and products” section of this advisory as soon as possible, even if their WSUS servers are not publicly exposed. In addition to active exploitation of this vulnerability targeting internet facing WSUS servers, Beazley Security believes that cyber-criminal groups will leverage this vulnerability in the future to distribute ransomware to WSUS client machines.
Affected Systems or Products
CVE-2025-59287 affects Microsoft Windows Server with the WSUS enabled. Please see the table below for the out-of-band build numbers corresponding to the fixed versions. Also refer to the Mitigations and Workarounds section for guidance if patches cannot be applied immediately.
Product | Fixed Version |
|---|---|
Windows Server 2012 R2 (Server Core installation) | 6.3.9600.22826 |
Windows Server 2012 R2 | 6.3.9600.22826 |
Windows Server 2012 (Server Core installation) | 6.2.9200.25728 |
Windows Server 2012 | 6.2.9200.25728 |
Windows Server 2016 (Server Core installation) | 10.0.14393.8524 |
Windows Server 2016 | 10.0.14393.8524 |
Windows Server 2025 | 10.0.26100.6905 |
Windows Server 2025 | 10.0.26100.6905 |
Windows Server 2022, 23H2 Edition (Server Core installation) | 10.0.25398.1916 |
Windows Server 2025 (Server Core installation) | 10.0.26100.6905 |
Windows Server 2025 (Server Core installation) | 10.0.26100.6905 |
Windows Server 2022 (Server Core installation) | 10.0.20348.4297 |
Windows Server 2022 (Server Core installation) | 10.0.20348.4297 |
Windows Server 2022 | 10.0.20348.4297 |
Windows Server 2022 | 10.0.20348.4297 |
Windows Server 2019 (Server Core installation) | 10.0.17763.7922 |
Windows Server 2019 | 10.0.17763.7922 |
Mitigations / Workarounds
The official, Microsoft provided workarounds can be found on the advisory. They are essentially:
Disable the WSUS Server Role on vulnerable Windows server installations
Block inbound network traffic to ports 8530 and 8531 on the host firewall
Both these actions will effectively disable the WSUS update service, blocking updates for client machines. This can be done temporarily until updates can be applied to the WSUS server.
Patches
See the table above for the required fixed versions. Links for specific KB articles and software update locations can be found in the Microsoft advisory.
Technical Details
The software bug at the root of CVE-2025-59287 is unsafe deserialization. When software systems transmit data across a network, they sometimes need to translate objects in memory into streams of bytes that can be transmitted over the internet. The receiving system will then reverse that translation, turning a stream of bytes back into a data object to be used in memory. This process is called serialization and deserialization.
Systems that use this process often have two weak points:
Weak or compromised encryption keys used to encrypt the serialized objects
Insufficient data sanitization before processing received objects
Both these issues seem involved here, as the proof-of-concept exploit developed by HawkTrace references a hard coded “hexKey” of “877C14E433638145AD21BD0C17393071”, and a large base64 string that when decoded, contains the following substrings:
“
calc”“
System.DelegateSerializationHolder+DelegateEntry”“
System.Diagnostics.Process Start(System.String, System.String)”
This appears to be an object that will pass the string ‘calc’ to code that starts processes. This is typical of proof-of-concept code created by security researchers, and it is common to demonstrate code execution by starting up the built-in Windows calculator application. Any arbitrary command could feasibly be used in place of ‘calc’ by a threat actor to run commands on a victim machine.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Exposure Management Platform to identify impacted devices and support organizations in remediation of any issues found.
We are also conducting threat hunts across our MDR environment to detect potential exploitation attempts against our clients.
If you believe your organization may have been impacted by this attack campaign and need support, please contact our Incident Response team.