Go back

Article

Cybersecurity

Oct 25, 2025

CVE-2025-59287: Critical vulnerability in Windows Server Update Services (WSUS)

CVE-2025-59287 is a critical vulnerability in Windows Server Update Services (WSUS). This article briefly explains the flaw, its potential impact, and how to mitigate it, along with key indicators of compromise (IoCs).

CVE-2025-59287: Critical vulnerability in Windows Server Update Services (WSUS)
CVE-2025-59287: Critical vulnerability in Windows Server Update Services (WSUS)
CVE-2025-59287: Critical vulnerability in Windows Server Update Services (WSUS)

Summary

On October 23, Microsoft released an update for a critical remote command execution vulnerability in Windows Server Update Services (WSUS).

IT administrators use WSUS to centrally distribute Microsoft updates inside networks.

CVE-2025-59287 is a critical vulnerability in WSUS that allows attackers to execute commands remotely without authentication. The vulnerability score is CVSS 9.8.

To exploit the vulnerability, an attacker targets the service ports on TCP/8530 and TCP/8531 and sends specially crafted POST requests to the update service. The service decrypts and deserializes the payload, which can result in command execution.

Command execution occurs via WSUS processes such as wsusservice.exe or w3wp.exe, which may launch cmd.exe or powershell.exe.

What is CVE-2025-59287?

This is a remote command execution (RCE) vulnerability in the WSUS update service caused by unsafe deserialization of a request.

  • An attacker sends a POST request to the WSUS web endpoints.

  • The request contains an AuthorizationCookie object encrypted with AES-128-CBC.

  • After decryption, the service deserializes the object using .NET’s BinaryFormatter without validating the object type.

  • This unsafe deserialization leads to remote code execution under the SYSTEM account.

Recommendations

1. Apply the Microsoft security update

Install Microsoft’s security update for CVE-2025-59287 immediately. See Microsoft Security Response Center for the official guidance:
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287

2. Isolate WSUS access

  • Limit access to WSUS servers to only management machines and other update servers that require communication with WSUS.

  • Block inbound access to service ports TCP/8530 and TCP/8531 from general networks and from the public internet.

Indicators of Compromise (IOCs)

Check WSUS log file:

Look for stack traces or errors such as:


Check IIS logs:
Look for POST requests to WSUS web services, for example:
POST /ReportingWebService/ReportingWebService.asmx (get_server_id)
POST /SimpleAuthWebService/SimpleAuth.asmx (get_auth_cookie)
POST /ClientWebService/Client.asmx (get_reporting_cookie)
POST /ReportingWebService/ReportingWebService.asmx (send_malicious_event)
POST /ApiRemoting30/WebService.asmx
POST /ReportingWebService/ReportingWebService.asmx - 8530 - <IPv4>


Windows event / process monitoring
  • wsusservice.exe spawning cmd.exe or powershell.exe (unexpected — normally it does not spawn child processes).
  • w3wp.exe spawning cmd.exe or powershell.exe.
Sources
  • HawkTrace: https://hawktrace.com/blog/CVE-2025-59287-UNAUTH
  • Huntress: https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
  • Microsoft Security Response Center (MSRC): https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
Ready to Secure and Optimize Your IT?
Book your free 15-minute IT assessment today and discover how to protect and optimize your business technology.
Book a Free Consultation
Book a Free Consultation
Free Consultation
Free Consultation