Full Report
A “prior update did not fully mitigate" a flaw in Windows Server Update Service, CISA said in an alert to federal agencies and businesses
Analysis Summary
# Vulnerability: WSUS Remote Code Execution Due to Incomplete Patch
## CVE Details
- CVE ID: CVE-2025-59287
- CVSS Score: 9.8 (Critical)
- CWE: Not explicitly stated, but context implies Improper Input Validation or Remote Code Execution vulnerability mitigated by a patch failure.
## Affected Systems
- Products: Windows Server Update Service (WSUS) running on Windows Server
- Versions: Windows Server 2012, 2016, 2019, 2022, and 2025
- Configurations: Any system running a vulnerable version of WSUS where a previous mitigating update was applied but failed to fully resolve the issue.
## Vulnerability Description
This vulnerability exists in the Windows Server Update Service (WSUS). A previously released security update failed to fully mitigate the flaw. Successful exploitation allows an unauthenticated actor to achieve **Remote Code Execution (RCE) with system privileges** on the affected server. The flaw relates to how WSUS handles updates/files distributed across the file system, potentially allowing an attacker to bypass endpoint detection and response (EDR) exclusions targeting the WSUS service.
## Exploitation
- Status: **Exploited in the wild**
- Complexity: Low (Achievable by an unauthenticated actor)
- Attack Vector: Network (Requires an exposed WSUS instance)
## Impact
- Confidentiality: High (System privileges grant access to service data)
- Integrity: High (System privileges allow modification/destruction of data)
- Availability: High (System privileges allow for full system compromise)
## Remediation
### Patches
- Apply Microsoft’s **out-of-band patch** (Refer to Microsoft Guidance for CVE-2025-59287).
- Organizations must re-apply or ensure the newly re-released patch for CVE-2025-59287 is installed.
### Workarounds
- **Block inbound traffic** to certain ports associated with WSUS immediately if the update cannot be applied instantly.
- Security experts strongly advise that **WSUS should not be accessible from the Internet**. Organizations with exposed instances need immediate investigation.
- Identify vulnerable servers, apply the update, and **reboot the servers**.
## Detection
- Indicators of Compromise: Look for unusual process creation or file modifications originating from the WSUS service, especially after endpoint detection and response (EDR) exclusions for WSUS were bypassed.
- Detection methods and tools: Monitor network traffic to WSUS endpoints for indicators of exploitation attempts. Incident response teams tracking exploitation should check affected customer environments immediately.
## References
- Vendor Advisories: https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2025-59287
- CISA Alert: https://www.cisa.gov/news-events/alerts/2025/10/24/microsoft-releases-out-band-security-update-mitigate-windows-server-update-service-vulnerability-cve
- CISA Binding Operational Directive Inclusion: https://www.cisa.gov/news-events/alerts/2025/10/24/cisa-adds-two-known-exploited-vulnerabilities-catalog
- Huntress Analysis: https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability