CVE-2025-59287: Critical WSUS Vulnerability Exploited in the Wild

In October 2025, Microsoft disclosed a critical remote code execution vulnerability (CVE-2025-59287) in Windows Server Update Services (WSUS), which enables unauthenticated attackers to gain full control over affected servers. WSUS is a central patch management tool in Windows environments, responsible for approving, distributing, and monitoring updates across corporate networks. A compromised WSUS server represents a significant RCE risk, as it can serve as a foothold for lateral movement or manipulation of updates.

On October 23, 2025, the company issued an out-of-band emergency patch, following proof-of-concept exploits and active attacks observed in the wild. The U.S. CISA added CVE-2025-59287 to its Known Exploited Vulnerabilities (KEV) Catalog shortly after, highlighting the urgency of immediate remediation.

What is CVE-2025-59287?

Risk Analysis

Severity: CRITICAL
CVSSv3.1: Base Score: 9.8 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C

Exploit available in public: Yes
Exploit complexity: Low

Not all Windows Servers are at risk. The vulnerability only affects servers where the WSUS Server Role is enabled. This role is not activated by default, which means organizations that have not deployed WSUS are safe. However, for businesses that rely on WSUS for patch management, the exposure is significant. The affected versions include Windows Server 2012, 2012 R2, 2016, 2019, 2022, and the newly released 2025 edition.

How the WSUS RCE Works?

At the heart of CVE-2025-59287 is unsafe deserialization in WSUS. The vulnerability specifically affects the handling of AuthorizationCookie objects in WSUS web services, where data is deserialized using the insecure .NET BinaryFormatter without proper type validation.

How It Works

1. WSUS receives a specially crafted SOAP request to endpoints like /ClientWebService/Client.asmx, calling the GetCookie method.
2. The request contains an AuthorizationCookie, which includes a CookieData field that can carry a malicious payload.
3. WSUS decrypts the cookie using a fixed AES key and passes the decrypted object to BinaryFormatter.Deserialize().
4. Since no type validation is enforced, attackers can embed a malicious gadget chain in the serialized data. When deserialized, this executes arbitrary code with SYSTEM privileges.

Key point: This vulnerability is unauthenticated, meaning no credentials are required, and the exploit can be triggered remotely.

CVE-2025-59287- Proof-of-Concept Overview

Security researchers released proof-of-concept code demonstrating the vulnerability:

• Payload Generation: Attackers serialize a .NET gadget chain using tools like ysoserial.net.
• Encryption: The serialized payload is AES-128-CBC encrypted to mimic WSUS cookie handling.
• Delivery: The encrypted payload is included in the AuthorizationCookie field of a SOAP request to WSUS.

Simplified PoC flow:

Attacker → POST /ClientWebService/Client.asmx
→ AuthorizationCookie contains AES-encrypted gadget chain
WSUS → DecryptData() → BinaryFormatter.Deserialize()
→ Gadget executes → SYSTEM-level code execution


Observed attacks often spawn processes in chains such as:

wsusservice.exe → cmd.exe → cmd.exe → powershell.exe
w3wp.exe → cmd.exe → cmd.exe → powershell.exe


These processes are then used for reconnaissance (commands like whoami, net user /domain, ipconfig /all) and sometimes data exfiltration using Invoke-WebRequest or curl.exe.

CVE-2025-59287 – Real-World Exploitation

After the initial proof-of-concept exploit was published by security researchers, threat actors quickly began scanning for publicly exposed WSUS servers on default network ports, 8530 and 8531. Once they identify a vulnerable server, attackers can remotely execute commands, gather information about the internal network, and potentially exfiltrate sensitive data. Cybersecurity firms reported seeing malicious PowerShell commands executed as part of these attacks, often immediately after the vulnerability was disclosed.

Microsoft’s Recommendations and Interim Measures

The most effective way to protect WSUS servers is to apply Microsoft’s out-of-band security update immediately. This patch addresses the vulnerability by ensuring that WSUS safely handles internal data, preventing attackers from exploiting it.

For organizations unable to apply the patch immediately, Microsoft suggests two temporary measures: disabling the WSUS Server Role entirely or blocking inbound traffic to TCP ports 8530 and 8531. While these steps reduce the risk of exploitation, they also limit the server’s ability to manage updates, so they should only be used as temporary measures until patching is completed.

This vulnerability reinforces critical security principles:

• Timely patching: Delays significantly increase risk.
• Network segmentation: Limiting server exposure prevents remote exploitation.
• Monitoring & detection: Logging and EDR are crucial for identifying abnormal behavior quickly.

AppTrana WAAP Coverage for CVE‑2025‑59287 (WSUS RCE)

AppTrana WAAP provides default, out-of-the-box protection against exploitation attempts targeting CVE‑2025‑59287. Its AI powered managed WAF automatically intercepts and blocks malicious requests aimed at vulnerable WSUS services, , preventing unsafe deserialization and remote code execution.

This proactive defense ensures organizations are shielded from attacks immediately, even before Microsoft patches are applied, while maintaining business continuity and safeguarding critical systems without requiring any manual rule creation.

By combining prevention, detection, and mitigation, AppTrana ensures WSUS servers remain secure against exploitation from the outset.

Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.