Microsoft releases emergency patches for actively exploited critical WSUS Deserialization flaw
Take action: If you have Windows servers with WSUS enabled, prioritize patching with the Microsoft's October 23, 2025 out-of-band security update for CVE-2025-59287 and reboot - this vulnerability is actively exploited in the wild. Even if you already installed October's regular patches, you must apply this emergency update since the initial fix was incomplete. Alternatively, disable the WSUS service or block inbound traffic to ports 8530 and 8531 at the host firewall level, but that doesn't help much with using the server as a WSUS.
Learn More
Microsoft has released out-of-band security updates to address a critical remote code execution vulnerability in Windows Server Update Services (WSUS). Windows Server Update Services allows IT administrators to centrally manage and distribute Microsoft updates across multiple computers within their network.
The flaw is tracked as CVE-2025-59287 (CVSS score 9.8) and is caused by from unsafe deserialization of untrusted data in WSUS .The vulnerability has been actively exploited in the wild since October 24, 2025, according to the Dutch National Cyber Security Centre (NCSC). The vulnerability exists in WSUS's GetCookie endpoint, where the system fails to perform proper type verification when processing AuthorizationCookie objects.
This allows a remote, unauthenticated attacker to send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism through BinaryFormatter, resulting in remote code execution with SYSTEM privileges.
Security researchers have warned that the flaw is potentially wormable between affected WSUS servers, meaning it could propagate automatically across enterprise networks. Given that WSUS servers are trusted components within corporate infrastructure and are used to distribute security updates, a compromise could allow attackers to distribute malicious updates, steal sensitive data, or establish persistent access throughout an organization's entire Windows environment.
The vulnerability was nitially patched during Microsoft's October 2025 Patch Tuesday. Microsoft released an emergency out-of-band update on October 23, 2025, after confirming that the initial fix was not complete and that proof-of-concept exploit code had been published online.
The vulnerability affects the following Windows Server versions when the WSUS Server Role is enabled:
- Windows Server 2025
- Windows Server, version 23H2
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Server 2012
The WSUS Server Role is not enabled by default on Windows servers. Only Windows servers with the WSUS Server Role explicitly enabled are vulnerable to this attack. Servers without the WSUS role activated are not affected by CVE-2025-59287. If the WSUS server role is enabled after the patch is installed, the server is protected.
Microsoft strongly recommends that organizations apply the October 23, 2025 out-of-band update immediately, even if they have already installed the October 2025 Patch Tuesday updates. If administrators have not yet installed the October 2025 security updates, Microsoft advises applying the out-of-band update instead, as it includes all necessary fixes. A system reboot is required after installation to complete the patching process.
For those unable to patch immediately, Microsoft recommends temporary workarounds: disable the WSUS server role entirely, halting client updates in the process, or block inbound traffic to ports 8530 and 8531 at the host firewall level to neutralize the service.
As a side effect of patching CVE-2025-59287, Microsoft has temporarily removed the functionality that displays synchronization error details within WSUS error reporting. This feature was will remain unavailable in this and subsequent updates until a secure implementation can be developed.
System administrators can verify their current WSUS version and update status by checking Windows Update history.
