NAVANEM
CVE-2025-59287⚡ exploited in the wild

Microsoft Windows Server Update Services (WSUS), deserialization RCE

Deserialization of untrusted data in Windows Server Update Services (WSUS) allows an unauthenticated remote attacker to execute code as SYSTEM with no user interaction. An attacker sends a crafted event to a WSUS server that triggers unsafe object deserialization on servers with the WSUS Server Role enabled. The flaw was mass-exploited within hours of Microsoft's out-of-band patch.

Overview

CVE-2025-59287 is a critical, unauthenticated remote code execution vulnerability in Windows Server Update Services (WSUS). An attacker can send a crafted event to an exposed WSUS server and trigger unsafe deserialization, executing code as SYSTEM with no authentication and no user interaction. Because WSUS is the trusted distribution point for Windows updates inside an organization, compromise is especially dangerous. Microsoft shipped an emergency out-of-band update on October 23, 2025 after the original Patch Tuesday fix proved incomplete, and mass exploitation began within hours.

Technical Details

The vulnerability lies in how the WSUS service deserializes attacker-controlled objects received over its reporting/event channel (default ports 8530/8531). Insufficient validation allows a malicious serialized payload to instantiate dangerous .NET gadget chains, yielding command execution in the WSUS service context (SYSTEM). Only servers with the WSUS Server Role enabled are affected; the role is not installed by default, but is common on management and patching infrastructure.

Impact

  • Unauthenticated SYSTEM-level RCE on the patch-management server.
  • Supply-chain leverage inside the org: control of WSUS can influence which updates clients receive.
  • Broad blast radius: WSUS typically has network reach to most managed endpoints and servers.
  • Confirmed in-the-wild exploitation drove the CISA KEV listing and an out-of-band advisory.

Mitigation

  1. Install the October 23, 2025 out-of-band update for your Windows Server build (e.g. 2025: 10.0.26100.6905, 2022: 10.0.20348.4297, 2019: 10.0.17763.7922), then reboot - the fix is not fully applied until restart.
  2. Temporary workaround if you cannot patch: disable the WSUS Server Role, or block inbound traffic to ports 8530/8531 at the host firewall (clients will not receive updates while blocked).
  3. Do not expose WSUS to the internet; restrict it to the management network.
  4. Hunt for post-exploitation activity on WSUS servers patched late.

Detection

  • Inspect w3wp.exe (WSUS app pool) for spawning cmd.exe / powershell.exe child processes.
  • Review WSUS and IIS logs for anomalous requests to the reporting web service.
  • Correlate with CISA KEV (added October 24, 2025) indicators and any unexpected processes running as SYSTEM.

references

#cve-2025-59287#microsoft#wsus#windows-server#remote-code-execution#insecure-deserialization#cwe-502#actively-exploited#cisa-kev#critical-vulnerability

Related topics

CVE
CVE

Microsoft SharePoint Server, deserialization of untrusted data RCE (ToolShell)

Jul 19, 2025
CVE
CVE

Fortra GoAnywhere MFT, deserialization RCE (License Servlet)

Sep 18, 2025
CVE
CVE

BeyondTrust Remote Support / Privileged Remote Access, pre-authentication OS command injection RCE

Feb 6, 2026
CVE
CVE

Fortinet FortiWeb, relative path traversal authentication bypass to admin RCE

Nov 14, 2025
CVE
CVE

F5 BIG-IP APM, unauthenticated remote code execution via crafted access-policy traffic

Oct 15, 2025
CVE
CVE

Oracle E-Business Suite, unauthenticated remote code execution (Cl0p EBS campaign)

Oct 5, 2025
CVE
CVE

Cisco Secure Firewall ASA & FTD, VPN web server buffer overflow RCE (ArcaneDoor)

Sep 25, 2025
CVE
CVE

Google Chrome V8, type confusion leading to heap corruption (zero-day)

Sep 24, 2025
CVE
CVE

Citrix NetScaler ADC and Gateway, unauthenticated memory-overflow remote code execution

Aug 26, 2025
CVE
CVE

Fortinet FortiWeb, unauthenticated SQL injection leading to remote code execution

Jul 17, 2025