Microsoft Releases Out-of-Band Security Update for Windows Server Update Service (WSUS)

CVE-2025-59287 is under active exploitation and could lead to unauthenticated remote code execution over a network

Threat ID:: CC-4711
Threat Severity:: High
Published:: 24 October 2025 11:27 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE-2025-59287 is under active exploitation and could lead to unauthenticated remote code execution over a network

Affected platforms

The following platforms are known to be affected:

Microsoft Windows Server

Windows Server 2012
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows Server 2025

Threat details

Exploitation of CVE-2025-59287

CVE-2025-59287 has been added to the US Cybersecurity and Infrastructure Security Agency's (CISA) Known Exploited Vulnerabilities Catalog (KEV), and further exploitation has been reported in the wild. Additionally a public proof-of-concept (PoC) exploit has been released by security researchers and the NHS England National CSOC is aware of reports that cyber criminals have weaponised the PoC.

The National CSOC assesses further exploitation as highly likely.

Introduction

Microsoft has released an out-of-band security update to address a critical vulnerability in the Windows Server Update Service (WSUS).

CVE-2025-59287 is a "Deserialisation of Untrusted Data" vulnerability with a CVSSv3 score of 9.8. Successful exploitation could allow a remote, unauthenticated attacker to perform remote code execution (RCE) over a network.

Threat updates

Date	Update
27 Oct 2025	Added Windows Server 2019 to affected platforms
27 Oct 2025	Severity changed to High The following items have been updated to reflect this change: Exploitation emphasis box Vulnerability details Remediation advice

Date

Update

27 Oct 2025

Added Windows Server 2019 to affected platforms

27 Oct 2025

Severity changed to High

The following items have been updated to reflect this change:

Exploitation emphasis box
Vulnerability details
Remediation advice

Remediation advice

Affected organisations must review Microsoft's security advisory and follow the remediation steps detailed below.

Remediation steps

Type	Step
Patch	Required: Organisations must install the out-of-band security update released on October 23, 2025 as soon as possible. Microsoft has advised that organisations must reboot the affected system after applying the relevant security update. Organisations enrolled in the Windows Server "hotpatch" programme will also need to reboot after the security update is applied if the affected system has Windows Server Update Service (WSUS) enabled. https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-59287
Action	Recommended: Organisations are strongly encouraged to follow Microsoft's guidance to limit access to Windows Server Update Service (WSUS) over the internet. https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-59287

Type

Step

Patch

Required: Organisations must install the out-of-band security update released on October 23, 2025 as soon as possible.

Microsoft has advised that organisations must reboot the affected system after applying the relevant security update. Organisations enrolled in the Windows Server "hotpatch" programme will also need to reboot after the security update is applied if the affected system has Windows Server Update Service (WSUS) enabled.

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-59287

Action

Recommended: Organisations are strongly encouraged to follow Microsoft's guidance to limit access to Windows Server Update Service (WSUS) over the internet.

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-59287

Definitive source of threat updates

https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2025-59287

CVE Vulnerabilities

Status Published

CVE-2025-59287

Deserizaliation of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

Last edited: 27 October 2025 2:37 pm