Full Report
Attackers are now exploiting a critical-severity Windows Server Update Service (WSUS) vulnerability, which already has publicly available proof-of-concept exploit code. [...]
Analysis Summary
# Vulnerability: Critical Remote Code Execution in Windows Server WSUS
## CVE Details
- CVE ID: CVE-2025-59287
- CVSS Score: Critical (Specific score not provided, but context implies high severity)
- CWE: Suspected Deserialization Vulnerability (Based on exploitation description)
## Affected Systems
- Products: Windows Server (All versions that support the WSUS Server role)
- Versions: Windows Server 2025, Windows Server, version 23H2, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
- Configurations: Systems with the Windows Server Update Service (WSUS) Server role enabled specifically to act as an update source for other WSUS servers within the organization.
## Vulnerability Description
CVE-2025-59287 is a critical Remote Code Execution (RCE) vulnerability within the Windows Server Update Service (WSUS) role. Successful exploitation allows an attacker to run arbitrary malicious code with **SYSTEM privileges** on the affected server. The flaw is characterized by low complexity, requires no user interaction, and does not require prior authentication, making it highly dangerous. Due to the nature of the vulnerability and the potential for wormable activity between connected WSUS servers, immediate patching is crucial.
## Exploitation
- Status: **Exploited in the wild** (Confirmed by NCSC-NL and Eye Security)
- Complexity: **Low**
- Attack Vector: **Network** (Remote, unauthenticated)
## Impact
- Confidentiality: High (SYSTEM privileges grant access to all data)
- Integrity: High (SYSTEM privileges allow arbitrary modification/destruction)
- Availability: High (SYSTEM privileges allow service disruption or system compromise)
## Remediation
### Patches
Microsoft released out-of-band security updates for all impacted Windows Server versions:
- Windows Server 2025: KB5070881
- Windows Server, version 23H2: KB5070879
- Windows Server 2022: KB5070884
- Windows Server 2019: KB5070883
- Windows Server 2016: KB5070882
- Windows Server 2012 R2: KB5070886
- Windows Server 2012: KB5070887
### Workarounds
- Disable the WSUS Server role on vulnerable systems to remove the primary attack vector.
## Detection
- Indicators of compromise: Anomalous process execution under the SYSTEM account originating from the WSUS service process. Active exploitation involves network connections to the WSUS endpoint that facilitate control code execution.
- Detection methods and tools: Monitor network connections to the WSUS port (usually 8530/8531) for suspicious external or unauthorized internal traffic patterns. Analyze system logs for unexpected code execution or privilege escalation associated with WSUS services.
## References
- Vendor Advisory (General): msrc dot microsoft dot com/update-guide/vulnerability/CVE-2025-59287
- Patch Information (Example for 2022): support dot microsoft dot com/help/KB5070884
- Eye Security Report: research dot eye dot security/wsus-deserialization-exploit-in-the-wild-cve-2025-59287/
- PoC Release: hawktrace dot com/blog/CVE-2025-59287
- NCSC-NL Advisory: advisories dot ncsc dot nl/2025/ncsc-2025-0310.html