Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
Microsoft issued an emergency out-of-band security patch on October 23, 2025, to address a critical vulnerability in the Windows Server Update Service (WSUS) that is already being actively exploited by attackers.
The vulnerability, tracked as CVE-2025-59287, carries a CVSS score of 9.8 out of 10. It allows for unauthenticated Remote Code Execution (RCE) due to an insecure deserialization of untrusted data in WSUS. A successful exploit grants an attacker SYSTEM-level privileges on the compromised server.
On Thursday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed the flaw was being exploited in the wild and added it to its Known Exploited Vulnerabilities (KEV) catalog.
Active Attacks Detected in the Wild
Security researchers from multiple firms, including Huntress and Eye Security, have detected active exploitation attempts beginning around 23:34 UTC on October 23.
Huntress observed threat actors targeting WSUS instances publicly exposed on ports 8530 and 8531. The attackers executed PowerShell commands to conduct internal Windows domain reconnaissance. They successfully gathered sensitive information—including logged-in usernames, domain user accounts, and network configurations—before exfiltrating the data to a remote webhook.
Dutch cybersecurity firm Eye Security reported witnessing an exploit at 06:55 UTC on October 24. Attackers deployed a Base64-encoded .NET payload that used an ‘aaaa’ request header to execute commands, a technique likely used to avoid detection in server logs. The Dutch National Cyber Security Centre (NCSC) confirmed these findings.
Arctic Wolf also detected a broader threat campaign targeting WSUS servers, observing malicious PowerShell scripts being executed via the IIS worker process to run network reconnaissance commands. The firm noted that while exploitation is occurring, it remains limited because WSUS servers are not typically exposed to the public internet.
Federal Agencies Face November Deadline
CISA has given federal agencies until November 14, 2025, to apply the patch, citing its “Binding Operational Directive.” The agency strongly urges all organizations to follow Microsoft’s guidance immediately.
Microsoft had initially addressed CVE-2025-59287 in its October Patch Tuesday release. However, the company determined that the original fix was incomplete, necessitating this new emergency out-of-band update. The vulnerability only affects Windows Servers that have the WSUS role enabled, which is not activated by default.
For organizations that cannot immediately deploy the patch, Microsoft recommends two workarounds:
- Disable the WSUS server role.
- Block inbound traffic on ports 8530 and 8531 at the host firewall.
Microsoft emphasized that administrators should “not revoke either of these two workarounds until the update has been installed.”
