Microsoft WSUS Remote Code Execution Vulnerability CVE-2025-59287 Requires Action

Critical Microsoft WSUS Remote Code Execution Vulnerability

A critical unauthenticated remote code execution vulnerability (CVSS 9.8) has been identified in Microsoft Windows Server Update Services (WSUS).

This vulnerability carries a CVSS score of 9.8 and allows attackers to execute arbitrary code under the WSUS service context, often SYSTEM.

Microsoft released an out-of-band patch on October 23, and active exploitation has been observed in the wild.

ProArch SOC has deployed custom detection rules and is actively monitoring for IOCs.

How Attackers Exploit the Microsoft WSUS RCE Vulnerability

• Root cause: Unsafe deserialization of crafted AuthorizationCookie payload in WSUS web endpoints.
• Impact: Arbitrary code execution under WSUS service context.
• Attack vector: Unauthenticated network request to WSUS endpoints.
• Patch Release: Microsoft issued out-of-band cumulative updates (KB5070881 / KB5070882) on October 23, 2025.
• Active Exploitation Confirmed: Multiple vendors and CERTs report active exploitation.

Why CVE-2025-59287 Matters: High-Risk Exploitation and Supply Chain Threat

• High blast radius: WSUS compromise can lead to malicious update distribution, creating a supply-chain attack vector.
• Unauthenticated & low effort: No authentication or user interaction required.
• Privilege escalation: SYSTEM-level access enables lateral movement and persistence.
• Active exploitation: Listed in CISA Known Exploited Vulnerabilities; immediate risk to exposed WSUS servers.

Recommendations

Primary Action: Patch Now

Apply Microsoft’s out-of-band patch immediately; validate KB installation and WSUS functionality. Go to Microsoft Security Resource Center.

If You Can’t Patch Immediately: Temporary WSUS Protections

• Block inbound access to WSUS ports (8530/8531) from untrusted networks.
• Restrict WSUS to trusted VLAN or admin hosts via firewall/VPN.
• Disable WSUS role temporarily if feasible; plan alternate update distribution.
• Remove public exposure; enforce VPN/jump host with MFA for remote admin.

These interim controls significantly reduce exposure while permanent fixes are applied.

Detection and Monitoring: Indicators of Compromise for CVE-2025-59287

• Hunt for unauthenticated POSTs, large AuthorizationCookie payloads, unexpected child processes (cmd.exe, powershell.exe), and encoded PowerShell commands.
• Extend IIS and WSUS log retention.
• ProArch SOC has deployed custom detection rules and is actively monitoring for IOCs.

References and Threat Intelligence for CVE-2025-59287

• Microsoft Security Advisory: October 23, 2025—KB5070881 (OS Build 26100.6905) Out-of-band Update
• Huntress Report: Exploitation of Windows Server Update Services Remote Code Execution Vulnerability
• NVD Entry: CVE-2025-59287 — NIST National Vulnerability Database
• Bleeping Computer: Critical WSUS flaw in Windows Server now exploited in attacks
• Windows Forum: Urgent WSUS Patch: CVE-2025-59287 RCE Fix Out-of-Band