Critical Alert: WSUS Deserialization Flaw (CVE-2025-59287) Under Active Exploitation
Microsoft released an out-of-band security update for a critical remote code execution (RCE) in Windows Server Update Services (WSUS), tracked as CVE-2025-59287. The vulnerability is actively exploited in the wild and allows unauthenticated attackers to achieve SYSTEM-level code execution via unsafe deserialization.
What is CVE-2025-59287?
WSUS provides centralized distribution of Microsoft updates across enterprise networks. CVE-2025-59287 is an unsafe deserialization vulnerability in the handling of the AuthorizationCookie at the /ClientWebService/client.asmx endpoint. An unauthenticated remote attacker can send a crafted payload (e.g., using gadget chains such as ysoserial.net) to trigger deserialization and execute arbitrary code as SYSTEM.
| Attribute | Details |
|---|---|
| Attack Vector | Network-based, unauthenticated |
| Complexity | Low — no user interaction |
| Impact | Arbitrary code execution as SYSTEM |
| Default Ports | 8530/TCP (HTTP), 8531/TCP (HTTPS) |
| Wormability | Potential lateral spread between WSUS servers |
Timeline
- Oct 14, 2025: CVE assigned and disclosed.
- Early Oct 2025: Partial fix released in Patch Tuesday updates (deemed incomplete).
- Oct 23, 2025: Public PoC published; first exploitation attempts observed later that day.
- Oct 24, 2025: Microsoft issues comprehensive out-of-band update (KB5070883); CISA adds the CVE to the KEV catalog.
Exploitation & Impact
A compromised WSUS server can be used to distribute malicious updates to managed endpoints — enabling ransomware deployment, data exfiltration, or lateral movement. Reports indicate opportunistic exploitation of internet-facing WSUS instances; however, improperly exposed internal WSUS servers are also at risk.
Indicators of Compromise (IOCs)
- Unusual entries in
C:\Program Files\Update Services\LogFiles\SoftwareDistribution.log(e.g., stack traces referencingSoapUtilities.CreateException). - Suspicious HTTP requests to
/ClientWebService/client.asmx. w3wp.exespawning reconnaissance commands (e.g.,whoami.exe) or spawningPowerShellchains.
Affected Systems
- Windows Server 2012 / 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022
- Windows Server 2025
Note: Only systems with the WSUS Server Role enabled are vulnerable. Default installations without the role are not affected.
Mitigation & Patching Guidance
Apply Microsoft’s out-of-band update (KB5070883) immediately via Windows Update or the Microsoft Update Catalog, then reboot affected servers to ensure full mitigation.
Step-by-step patching:
- Scan your environment for WSUS-enabled servers with open ports
8530/8531(use asset inventory, internal scanners, or Shodan where applicable). - Download and apply KB5070883 (or the OS-specific package for your build).
- Reboot servers and verify patch installation via
systeminfoor the WSUS console. - Monitor WSUS, IIS, and EDR logs for deserialization attempts and suspicious process chains.
Temporary Workarounds (if patching is delayed)
- Disable the WSUS Server Role entirely.
- Block inbound traffic to TCP 8530/8531 at the host/perimeter firewall (note: this will disrupt WSUS functionality).
- Restrict WSUS access to trusted internal IPs via network ACLs.
Strategic Recommendations
- Evaluate migration from legacy WSUS to modern update management such as MECM or Intune.
- Adopt Zero-Trust controls: least privilege, restrict management endpoints, and reduce attack surface.
- Hunt for
w3wp → PowerShellprocess chains and deploy community YARA rules for detection. - Ensure incident response readiness — engage IR immediately if compromise is suspected.
