Critical Vulnerability in Microsoft’s WSUS Poses Global Threat
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent advisory regarding the active exploitation of a severe remote code execution (RCE) vulnerability within Microsoft’s Windows Server Update Services (WSUS).
Designated CVE-2025-59287, this critical security flaw boasts a daunting CVSS score of 9.8. It permits unauthenticated adversaries to execute arbitrary code with system-level privileges across networks, thereby jeopardizing the entirety of IT infrastructures.
Originating from the unsafe deserialization of untrusted data in WSUS, this vulnerability was initially addressed in Microsoft’s October Patch Tuesday. However, an out-of-band update, implemented on October 23, 2025, was necessary to fully remedy the inadequacies of the prior fix.
The urgency of the situation has intensified, as cybersecurity firms report tangible attack attempts dating back to October 24, 2025. The Dutch cybersecurity entity Eye Security identified exploitation efforts at 06:55 a.m. UTC that day, involving a Base64-encoded.
NET payload engineered to bypass logging by executing commands via a custom request header termed ‘aaaa’.WSUS reconnaissance.
Proof-of-concept (PoC) exploits, released mere days earlier by researcher Batuhan Er of HawkTrace, have proliferated malicious activities, empowering attackers to target WSUS servers operating under the SYSTEM account.
Inclusion of CVE-2025-59287 in CISA’s Known Exploited Vulnerabilities (KEV) Catalog obligates federal agencies to implement patches by November 14, 2025, highlighting the flaw’s exploitability and minimal complexity; no user interaction or verification is required.
Organizations that depend on WSUS for centralized patch management face significant perils, as a successful breach has the potential to enable cybercriminals to disseminate compromised updates across interconnected devices.
Systems Affected:
| Affected Version | Patch KB Number | Notes |
|---|---|---|
| Windows Server 2012 | KB5070887 | Standard and Server Core |
| Windows Server 2012 R2 | KB5070886 | Standard and Server Core |
| Windows Server 2016 | KB5070882 | Standard and Server Core |
| Windows Server 2019 | KB5070883 | Standard and Server Core |
| Windows Server 2022 | KB5070884 | Standard and Server Core |
| Windows Server 2022, 23H2 Edition | KB5070879 | Server Core installation |
| Windows Server 2025 | KB5070881 | Standard and Server Core |
This vulnerability exploits an antiquated serialization mechanism within the GetCookie() endpoint, where encrypted AuthorizationCookie objects are decrypted using AES-128-CBC, subsequently deserialized via BinaryFormatter without rigorous type validation, paving the way for complete system control.
Investigations conducted by the security researchers at CODE WHITE GmbH, including experts Markus Wulftange, MEOW, and f7d8c52bec79e42795cf15888b85cbad, unearthed the issue, attributing their findings to Microsoft’s advisory.
Microsoft has reassured users that servers lacking the WSUS Server Role remain unaffected. However, the risks are pronounced for those engaging the WSUS role, particularly if ports 8530 or 8531 are exposed to the internet.
Preliminary indicators suggest that nefarious entities are manipulating the PoC to deploy malware, with the potential for extensive lateral movement within enterprise networks.
Mitigations
CISA and Microsoft advocate for immediate actions to mitigate the threat. Initially, organizations should identify vulnerable servers by scanning for the WSUS role and assessing the exposure of ports 8530/8531.
Subsequently, the October 23 out-of-band patch must be applied without delay, followed by a reboot to ensure comprehensive mitigation. Any procrastination may result in exposure to unauthenticated RCE.
For entities unable to promptly implement patches, interim measures include disabling the WSUS role or restricting inbound traffic to the affected ports via host firewall settings, conditions which should not be reverted until the update has been successfully installed.
Beyond WSUS servers, it is imperative for organizations to update all remaining Windows Servers and execute a reboot post-installation. Deployment of monitoring tools to identify anomalous WSUS traffic, particularly incoherent GetCookie() requests or Base64 payloads, is also advisable.
Experts caution that unpatched systems could become entry points for advanced persistent threats, potentially exacerbating damage in hybrid cloud environments.
Source link: Cybersecuritynews.com.
