A critical vulnerability identified as CVE-2025-59287 in Microsoft Windows Server Update Services allows unauthenticated remote code execution through unsafe deserialization in the service’s cookie-handling function. Attackers can exploit the flaw to execute arbitrary code with SYSTEM privileges on unpatched servers, effectively taking full control of the affected systems. Exploitation began shortly after proof-of-concept code appeared online, with attackers scanning for exposed WSUS instances running on the default HTTP and HTTPS ports. The flaw affects servers used to distribute Windows updates, making it particularly dangerous in enterprise environments where WSUS is integrated with Active Directory and core infrastructure components.

Microsoft initially addressed the issue in its October 2025 Patch Tuesday release but later confirmed that the fix was incomplete, prompting an emergency out-of-band patch a few weeks later. Systems that have not yet applied the revised update remain at high risk of compromise. Administrators are urged to disable public access to WSUS services, restrict network exposure, and apply the latest patches immediately. The incident underscores the critical importance of securing management and update distribution platforms, which, if exploited, can provide attackers with privileged access across entire Windows environments.

‍

Source: https://securityaffairs.com/183830/security/cve-2025-59287-microsoft-fixes-critical-wsus-flaw-under-active-attack.html