The critical vulnerability CVE-2025-59287 was recently discovered in Microsoft’s Windows Server Update Services (WSUS). CISA (Cybersecurity and Infrastructure Security Agency) also added the vulnerability to its KEV (Known Exploited Vulnerabilities) catalog. On October 23, this resulted in Microsoft releasing an out-of-band security update for the supported versions of Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022 (including 23H2 Edition) and 2025.
Servers are only vulnerable to CVE-2025-59287 if they have the WSUS role enabled. The vulnerability could let a malicious actor run harmful software on a computer over the network. This is because the system doesn’t properly validate certain types of data it receives, which allows unauthenticated attackers to execute arbitrary code with system privileges on affected servers.
The vulnerability has a CVSS score of 9.8 out of 10 and is considered a very impactful vulnerability. This combined with Microsoft confirming the availability of publicly disclosed Proof of Concept code for this CVE, makes it a high-risk vulnerability.
Remediation
The best way to remediate the vulnerability is to install the out-of-band update. Make sure that after you install the update you must reboot your system for the update to apply. To install this update, use one of the following Windows and Microsoft release channels.
- Windows Update
- Business
- Update Catalog
- Server Update Services
Workarounds
If for some reason you cannot apply the remediating update, Microsoft has introduced a couple of workarounds.
- If you have the WSUS role enabled on a server, but you don’t need it, the vulnerability can be mitigated by disabling the WSUS role. Doing this will obviously stop the WSUS clients receiving updates.
- Another workaround according to Microsoft is to block inbound traffic to ports 8530 and 8531.
Further reading
If you wish to learn more about the vulnerability, I recommend checking out the official vulnerability article by Microsoft Security Response Center. Huntress has also a very in-depth blog post about the vulnerability and its attack behavior.
