Microsoft on Thursday released out-of-band security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with a proof-of-concept (Poc) exploit publicly available and has come under active exploitation in the wild.
The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of its Patch Tuesday update published last week.
Three security researchers, MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH, have been acknowledged for discovering and reporting the bug.
The shortcoming concerns a case of deserialization of untrusted data in WSUS that allows an unauthorized attacker to execute code over a network. It's worth noting that the vulnerability does not impact Windows servers that do not have the WSUS Server Role enabled.
In a hypothetical attack scenario, a remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a "legacy serialization mechanism," leading to remote code execution.
According to HawkTrace security researcher Batuhan Er, the issue "arises from the unsafe deserialization of AuthorizationCookie objects sent to the GetCookie() endpoint, where encrypted cookie data is decrypted using AES-128-CBC and subsequently deserialized through BinaryFormatter without proper type validation, enabling remote code execution with SYSTEM privileges."
It's worth noting that Microsoft itself previously recommended developers to stop using BinaryFormatter for deserialization, owing to the fact that the method is not safe when used with untrusted input. An implementation of BinaryFormatter was subsequently removed from .NET 9 in August 2024.
 |
| .NET executable deployed via CVE‑2025‑59287 |
"To comprehensively address CVE-2025-59287, Microsoft has released an out of band security update for the following supported versions of Windows Server: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022, 23H2 Edition (Server Core installation), and Windows Server 2025," Redmond said in an update.
Once the patch is installed, it's advised to perform a system reboot for the update to take effect. If applying the out-of-band is not an option, users can take any of the following actions to protect against the flaw -
- Disable WSUS Server Role in the server (if enabled)
- Block inbound traffic to Ports 8530 and 8531 on the host firewall
"Do NOT undo either of these workarounds until after you have installed the update," Microsoft warned.
The development comes as the Dutch National Cyber Security Centre (NCSC) said it learned from a "trusted partner that abuse of CVE-2025-59287 was observed on October 24, 2025."
Eye Security, which notified NCSC-NL of the in-the-wild exploitation, said it first observed the vulnerability being abused at 06:55 a.m. UTC to drop a Base64-encoded payload targeting an unnamed customer. The payload, a .NET executable, "takes the value 'aaaa' request header and runs it directly using cmd.exe."
"This is the payload that is being sent to servers, which uses the request header with the name 'aaaa' as a source for the command that is to be executed," Piet Kerkhofs, CTO of Eye Security, told The Hacker News. "This avoids commands appearing directly in the log."
Asked if the exploitation could have occurred earlier than today, Kerkhofs pointed out that the "PoC by HawkTrace was released two days ago, and it can use a standard ysoserial .NET payload, so yes, the pieces for exploitation were there."
When reached for comment, a Microsoft spokesperson told the publication that "We re-released this CVE after identifying that the initial update did not fully mitigate the issue. Customers who have installed the latest updates are already protected.
The company also emphasized that the issue does not affect servers that don't have WSUS Server Role enabled and has recommended impacted customers to follow the guidance on its CVE page.
Given the availability of a PoC exploit and detected exploitation activity, it's essential that users apply the patch as soon as possible to mitigate the threat. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to remediate it by November 14, 2025.
(The story was updated after publication with additional insights from Eye Security and a response from Microsoft.)
