Analysis

Microsoft has issued an urgent out-of-band security update for CVE-2025-59287, a critical remote code execution (RCE) vulnerability in Windows Server Update Service (WSUS) with a CVSS score of 9.8. This re-release follows an insufficient initial patch and comes amidst confirmed active exploitation in the wild, with a public proof-of-concept (PoC) exploit available. The flaw allows unauthenticated attackers to execute code with SYSTEM privileges on affected servers. The vulnerability stems from unsafe deserialization of untrusted data, specifically AuthorizationCookie objects, a method Microsoft previously advised against using due to security risks. This critical flaw impacts various Windows Server versions, including 2012, 2016, 2019, 2022, and 2025, specifically those with the WSUS Server Role enabled. Microsoft has provided workarounds, such as disabling the WSUS role or blocking specific ports, but emphasizes applying the patch. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-59287 to its Known Exploited Vulnerabilities (KEV) catalog, mandating remediation for federal agencies by November 14, 2025. This regulatory action, coupled with observed in-the-wild exploitation by entities like Eye Security, underscores the severe and immediate threat posed by this vulnerability, necessitating prompt patching across all affected organizations.