Governments and security experts are sounding the alarm about a serious flaw in Microsoft Windows Server Update Services (WSUS). Just after Microsoft released a critical patch, attackers began exploiting this vulnerability. It’s a remote code execution issue, meaning hackers can take control of affected systems with just a single malicious request.
The bug, known as CVE-2025-59287, affects Windows Server versions from 2012 to 2025, and it has a staggering CVSS score of 9.8 out of 10. This flaw allows unauthorized attackers to execute code on vulnerable systems. Fortunately, servers without the WSUS role are safe from this threat.
Microsoft initially addressed the problem on October 14, but that patch didn’t fully fix the vulnerability. They had to push out another update soon after, but there are concerns it might not be foolproof. Security researcher Kevin Beaumont tested the patch and reported that he was able to bypass it, potentially allowing him to send malicious updates to other clients on the system.
Recently, the U.S. Cybersecurity and Infrastructure Security Agency added this vulnerability to their Known Exploited Vulnerabilities catalog. It’s crucial because it indicates that the risk is both real and widespread. Countries like the Netherlands have also issued alerts to warn organizations.
Huntress, a security firm, noted that they observed attackers starting to target unprotected WSUS instances. They reported these hackers probing servers exposed on their default ports to exploit the vulnerability. This exploitation often involves using tools like PowerShell to collect sensitive data from affected machines.
While some reports suggest that fewer than 25 systems are vulnerable, Huntress highlighted that they expected exploitation could still be widespread. Their CEO warns that if a WSUS instance is online and unpatched, there’s a high chance it’s already been compromised.
In summary, the threat posed by CVE-2025-59287 is serious. Organizations need to heed these warnings. Ensuring proper patching and security practices is essential to protect sensitive information. For more detailed security guides, you can visit the CISA Known Exploited Vulnerabilities page.
