Microsoft Issues Emergency Patch for Critical WSUS Vulnerability Under Active Exploitation

Microsoft has released emergency out-of-band security updates to address a critical vulnerability in Windows Server Update Service (WSUS) after security researchers detected active exploitation attempts in the wild.

The flaw, tracked as CVE-2025-59287, enables remote code execution on vulnerable servers and is particularly dangerous it could potentially spread between WSUS servers like a worm. A public proof-of-concept exploit is already circulating online.

What's at Risk

WSUS allows IT administrators to centrally manage and distribute Windows updates across corporate networks. The vulnerability affects only Windows servers with the WSUS Server Role enabled—a feature that is disabled by default but commonly used in enterprise environments.

An unauthenticated attacker can exploit the flaw remotely without any user interaction by sending a specially crafted event that triggers unsafe deserialization of objects in a legacy serialization mechanism. Successful exploitation grants SYSTEM-level privileges, the highest level of access on Windows systems.

"This makes the bug potentially self-propagating between WSUS servers—meaning it could function as a worm," Microsoft warned in its security advisory.

Patches Available Now

Microsoft has released updates for all affected Windows Server versions and is urging administrators to apply them immediately. Patches are available for:

• Windows Server 2025 (KB5070881)
• Windows Server 2023 H2 (KB5070879)
• Windows Server 2022 (KB5070884)
• Windows Server 2019 (KB5070883)
• Windows Server 2016 (KB5070882)
• Windows Server 2012 R2 (KB5070886)
• Windows Server 2012 (KB5070887)

Microsoft emphasized that servers without the WSUS role enabled are not vulnerable. However, organizations planning to enable WSUS should install the patch first, as servers become vulnerable immediately upon role activation.

Temporary Mitigations

For administrators unable to patch immediately, Microsoft recommends disabling the WSUS Server Role or blocking incoming traffic on ports 8530 and 8531. However, these measures will render WSUS inoperable, preventing Windows endpoints from receiving updates from local servers.

Microsoft also disclosed that WSUS will no longer display synchronization error details after installing these patches a temporary measure implemented to address the vulnerability.

Active Exploitation Confirmed

Security firm Eye Security reports detecting initial scanning and exploitation attempts targeting the vulnerability. The company said at least one client's systems were compromised using an exploit that differs from the publicly available proof-of-concept.

While WSUS servers typically operate on internal networks, Eye Security identified approximately 2,500 internet-accessible instances worldwide—all potential targets.

Threat intelligence company Huntress has also confirmed attacks against CVE-2025-59287, specifically targeting WSUS instances with open default ports. The firm observed attackers executing PowerShell commands to conduct reconnaissance on internal Windows domains, collecting usernames, domain user lists, and network configurations before exfiltrating the data via webhooks.

"We expect exploitation of CVE-2025-59287 to be limited—WSUS rarely has ports 8530 and 8531 open. In our partner base, we found about 25 vulnerable hosts," Huntress noted, though the firm warned that any exposed instances face immediate risk.

The incident underscores the critical importance of rapid patch deployment and proper network segmentation for internal infrastructure services.