In order to fix CVE-2025-59287, a serious remote code execution (RCE) vulnerability in Windows Server upgrade Services (WSUS), Microsoft has released an out-of-band security upgrade.
Researchers claim that the vulnerability is being used in the wild.
The updates were released as a separate emergency update to address vulnerabilities found after the initial release, as well as during Microsoft’s October Patch Tuesday earlier this month.
Many organizations use WSUS, an on-premises update solution, to obtain Microsoft updates once and then distribute them to all of the network’s managed PCs.
Because of this feature, attackers find a compromised WSUS server to be quite lucrative. It can facilitate lateral movement, allow SYSTEM-level code execution on the server, and, in the worst situation, be used to send malicious “updates” to clients downstream.
The deserialization of untrusted data vulnerability is CVE-2025-59287. In order to cause unsafe object deserialization in WSUS and remote code execution with SYSTEM privileges, an unauthenticated attacker can deliver a specially constructed event (no user involvement required).
The problem is classified as critical (high CVSS) and network-exploitable by the National Vulnerability Database and Microsoft advisory.
After a public technical article and proof-of-concept exploit surfaced and many incident response teams reported in-the-wild exploitation, the need for an out-of-band security upgrade increased dramatically.
Attacks starting on October 23, 2025, were revealed by security firm Huntress, which detailed the reconnaissance stages and exploitation through many crafted POST calls to WSUS web services that initiated the deserialization RCE.
According to Huntress, four of its clients were affected, and since WSUS endpoints aren’t frequently connected to the internet, exploitation may be restricted overall.
On October 23, Microsoft released the out-of-band patches, noting that the impacted computers needed to be rebooted after installation and that the patch is cumulative (no prior updates are needed).
CISA instructed US federal civilian agencies to address the vulnerability by November 14, 2025, and added CVE-2025-59287 to its Known Exploited Vulnerabilities (KEV) database.
Although appropriate perimeter configurations should prevent WSUS exploitation from the public internet, national organizations, such as Germany’s BSI, cautioned that an attacker already inside the network or a misconfigured firewall could still weaponize the bug to fully compromise WSUS servers and move laterally.
