CVE-2025-59287: Unauthenticated RCE in Windows Server Update Services

A critical remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS), tracked as CVE-2025-59287, is under active exploitation. The flaw, caused by an unsafe deserialisation of untrusted data, allows a remote, unauthenticated attacker to gain full NT AUTHORITY\SYSTEM privileges on an affected server. This allows them to push malicious packages disguised as legitimate Microsoft security updates. Worth to note: servers are only vulnerable if the WSUS role is explicitly enabled.

Threat alert
October 27, 2025

The root cause of CVE-2025-59287 is a classic deserialisation of untrusted data vulnerability. The flaw exists in the WSUS reporting web service at the /ClientWebService/Client.asmx endpoint.

This service insecurely uses the deprecated .NET BinaryFormatter to process client-supplied data. An attacker can send a SOAP request containing a malicious AuthorizationCookie. The server decrypts this cookie and passes the untrusted byte stream directly to BinaryFormatter without any type of validation, leading to remote code execution.

Exploit Chain

The public proof-of-concept (PoC) simplifies a complex attack into a straightforward, three-step process:

  1. Payload Generation: The attacker uses a tool like ysoserial.net to create a "gadget chain." This is a serialised object payload designed to execute a command when deserialised by the target.
  2. Payload Encryption: The raw payload is encrypted. The WSUS server uses a weak implementation (AES-128-CBC) with a hardcoded encryption key and a null (all-zero) initialization vector (IV). Both the key and IV are publicly known, allowing any attacker to easily encrypt their malicious payload.
  3. Malicious SOAP Request: The final encrypted, Base64-encoded payload is embedded in the <CookieData> element of an XML SOAP request. This is sent via HTTP POST to the vulnerable endpoint, triggering the deserialisation and executing the attacker's command with NT AUTHORITY\SYSTEM privileges.

Tactics and Techniques

  • Initial Access (T1190): Attackers target internet-exposed WSUS instances, sending the exploit to .asmx web service endpoints on default ports TCP/8530 and TCP/8531.
  • Execution (T1059.003): Successful exploits spawn cmd.exe as a child process of either the IIS worker process (w3wp.exe) or the main WSUS service (wsusservice.exe).
  • Execution (T1059.001: cmd.exe is then used to launch powershell.exe for more complex scripts. A common observed process chain is wsusservice.exe → cmd.exe → cmd.exe → powershell.exe.
  • Defence Evasion (T1027): Attackers use powershell.exe -EncodedCommand (or -ec) to pass Base64-encoded payloads, which bypasses simple command-line logging.
  • Discovery (LOLBins): "Living-off-the-land" binaries are used to map the environment. The most common commands are whoami, net user /domain, and ipconfig /all.
  • Exfiltration: The collected data is sent to an attacker-controlled endpoint. This is typically done by a PowerShell (Invoke-WebRequest) or curl.exe command to a public webhook URL. This exfiltration blends in with normal HTTP/HTTPS traffic.

Vulnerable Versions

The vulnerability affects a broad range of Windows Server products where the WSUS role is enabled. Affected versions include:

  • Windows Server 2025
  • Windows Server 2022 (including 23H2 Edition)
  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012

Recommendations

The primary and most critical action are to install the emergency out-of-band (OOB) security update released by Microsoft on October 23, 2025.

Warning: The initial security update from the October 14, 2025, Patch Tuesday does not fix this vulnerability. Organisations must ensure they are deploying the specific OOB patch that supersedes the earlier one.

Patch Deployment Steps

  1. Identify Affected Assets: Use vulnerability scanners or asset inventory tools to find all servers with the WSUS Server role enabled.
  2. Deploy the OOB Update: Deploy the correct KB article for your server versions. While automatic updates should apply this, manual update processes require downloading the patch from the Microsoft Update Catalog.
  3. Reboot the Server: A reboot is mandatory after installation to complete the mitigation.

Temporary Mitigation

If you cannot apply the patch immediately, Microsoft and CISA recommend the following workarounds. Be aware that these actions will disrupt normal WSUS operations and stop clients from receiving updates.

  • Option 1 Block Network Access:  Block all inbound traffic to TCP ports 8530 (HTTP) and 8531 (HTTPS). This block should be applied at both the network perimeter firewall and the server's local host firewall.
  • Option 2 Disable the WSUS Server Role:  If feasible, temporarily disable the WSUS Server role on the affected server to stop the vulnerable services from running.

Warning

Do not undo either of these workarounds until after the correct OOB update has been fully installed and the server has been rebooted. Re-enabling the service or unblocking the ports on an unpatched server will immediately expose it to exploitation.

Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287