Microsoft has taken a second shot at addressing a critical Windows Server vulnerability that a previous update didn't fully fix – and that's now being exploited in the wild.
The vulnerability, tracked as CVE-2025-59287, affects Windows Server Update Service (WSUS) in Windows Server (2012, 2016, 2019, 2022, and 2025).
WSUS is a component of the Windows Server operating system that is designed to simplify the management and distribution of Microsoft product updates and patches.
Instead of each PC handling this individually, WSUS downloads the updates and stores them, and then distributes them to all computers on the network.
However, a recent vulnerability allowed for insecure deserialization of untrusted data, which security experts have warned allows unauthenticated attackers to execute arbitrary code.
"CVE-2025-59287 is a critical RCE vulnerability in Microsoft Windows Server Update Services (WSUS), caused by unsafe deserialization of AuthorizationCookie data through BinaryFormatter in the EncryptionHelper.DecryptData() method," said Hawktrace.
"The vulnerability allows an unauthenticated attacker to achieve remote code execution with SYSTEM privileges by sending malicious encrypted cookies to the GetCookie() endpoint."
The company first issued a fix earlier this month. However, since then, security researchers, including Dutch cybersecurity firm Eye Security, said they have spotted exploitation of the flaw in the wild.
"A few days after the public release of the CVE and the blog by HawkTrace, we are now observing active & successful exploitation targeting Windows Server Update Services (WSUS) world-wide, including our customer base," the firm said.
“Our telemetry shows scanning and exploitation attempts from 207.180.254[.]242,and our scans reveal roughly 2,500 WSUS servers still exposed world-wide, including about 100 in the Netherlands and 250 in Germany."
Meanwhile, Huntress also said it has spotted attacks targeting WSUS instances with their default ports (8530/TCP and 8531/TCP) exposed online.
"We expect exploitation of CVE-2025-59287 to be limited; WSUS is not often exposing ports 8530 and 8531. Across our partner base, we have observed ~25 hosts susceptible."
Windows Server flaw prompts CISA advisory
Warnings have been issued by the Netherlands National Cyber Security Centre (NCSC-NL) and the US Cybersecurity and Infrastructure Security Agency (CISA).
"CISA strongly urges organizations to implement Microsoft’s updated Windows Server Update Service (WSUS) Remote Code Execution Vulnerability guidance, or risk an unauthenticated actor achieving remote code execution with system privileges," CISA said in an advisory.
Organizations are advised to identify servers that are currently configured to be vulnerable to exploitation - i.e., those with WSUS Server Role enabled and ports open to 8530/8531 – and deal with these first.
They should apply the out-of-band security update released on 23 October to all servers identified, and then reboot. If they can't apply the update immediately, system administrators should disable the WSUS Server Role and/or block inbound traffic to ports 8530/8531, the default listeners for WSUS, at the host firewall.
"Of note, do not undo either of these workarounds until after your organization has installed the update," CISA said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Why firms ignore vulnerabilities at their own risk
- Threat actors are exploiting flaws more quickly – here's what business leaders should do
- Patch management vs vulnerability management
-
Microsoft 365 price hikes have landed the tech giant in hot waterNews Australian regulators have filed a lawsuit against Microsoft for allegedly misleading users over Microsoft 365 pricing changes.
-
Why Dedicated Internet Access (DIA) could be the key to AI performance gainsHigh speed, private internet connections could be a critical enabler for enterprises driving AI adoption
-
Former NCSC head says the Jaguar Land Rover attack was the 'single most financially damaging cyber event ever to hit the UK' as impact laid bareNews Researchers said they place the UK financial impact of the attack on Jaguar Land Rover at around £1.9 billion.
-
Volkswagen confirms security ‘incident’ amid ransomware breach claimsNews Volkswagen has confirmed a security "incident" has occurred, but insists no IT systems have been compromised.
-
Cyber experts have been warning about AI-powered DDoS attacks – now they’re becoming a realityNews DDoS attackers are flocking to AI tools and solutions to power increasingly devastating attacks
-
Microsoft issues warning over “opportunistic” cyber criminals targeting big businessNews Microsoft has called on governments to do more to support organizations
-
Europol takes down SIM farm network that scammed thousands of victimsNews The sophisticated operation led to crimes from simple phishing to investment fraud
-
Thousands of exposed civil servant passwords are up for grabs onlineNews While the password security failures are concerning, they pale in comparison to other nations
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
-
Hackers stole source code, bug details in disastrous F5 security incident – here’s everything we know and how to protect yourselfNews CISA has warned the F5 security incident presents a serious threat to federal networks
