Microsoft has taken a second shot at addressing a critical Windows Server vulnerability that a previous update didn't fully fix – and that's now being exploited in the wild.
The vulnerability, tracked as CVE-2025-59287, affects Windows Server Update Service (WSUS) in Windows Server (2012, 2016, 2019, 2022, and 2025).
WSUS is a component of the Windows Server operating system that is designed to simplify the management and distribution of Microsoft product updates and patches.
Instead of each PC handling this individually, WSUS downloads the updates and stores them, and then distributes them to all computers on the network.
However, a recent vulnerability allowed for insecure deserialization of untrusted data, which security experts have warned allows unauthenticated attackers to execute arbitrary code.
"CVE-2025-59287 is a critical RCE vulnerability in Microsoft Windows Server Update Services (WSUS), caused by unsafe deserialization of AuthorizationCookie data through BinaryFormatter in the EncryptionHelper.DecryptData() method," said Hawktrace.
"The vulnerability allows an unauthenticated attacker to achieve remote code execution with SYSTEM privileges by sending malicious encrypted cookies to the GetCookie() endpoint."
The company first issued a fix earlier this month. However, since then, security researchers, including Dutch cybersecurity firm Eye Security, said they have spotted exploitation of the flaw in the wild.
"A few days after the public release of the CVE and the blog by HawkTrace, we are now observing active & successful exploitation targeting Windows Server Update Services (WSUS) world-wide, including our customer base," the firm said.
“Our telemetry shows scanning and exploitation attempts from 207.180.254[.]242,and our scans reveal roughly 2,500 WSUS servers still exposed world-wide, including about 100 in the Netherlands and 250 in Germany."
Meanwhile, Huntress also said it has spotted attacks targeting WSUS instances with their default ports (8530/TCP and 8531/TCP) exposed online.
"We expect exploitation of CVE-2025-59287 to be limited; WSUS is not often exposing ports 8530 and 8531. Across our partner base, we have observed ~25 hosts susceptible."
Windows Server flaw prompts CISA advisory
Warnings have been issued by the Netherlands National Cyber Security Centre (NCSC-NL) and the US Cybersecurity and Infrastructure Security Agency (CISA).
"CISA strongly urges organizations to implement Microsoft’s updated Windows Server Update Service (WSUS) Remote Code Execution Vulnerability guidance, or risk an unauthenticated actor achieving remote code execution with system privileges," CISA said in an advisory.
Organizations are advised to identify servers that are currently configured to be vulnerable to exploitation - i.e., those with WSUS Server Role enabled and ports open to 8530/8531 – and deal with these first.
They should apply the out-of-band security update released on 23 October to all servers identified, and then reboot. If they can't apply the update immediately, system administrators should disable the WSUS Server Role and/or block inbound traffic to ports 8530/8531, the default listeners for WSUS, at the host firewall.
"Of note, do not undo either of these workarounds until after your organization has installed the update," CISA said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Why firms ignore vulnerabilities at their own risk
- Threat actors are exploiting flaws more quickly – here's what business leaders should do
- Patch management vs vulnerability management
-
Developer accidentally spends company’s entire Cursor budget in one sittingNews A developer accidentally spent their company's entire Cursor budget in a matter of hours, and discovered a serious flaw that could allow attackers to max out spend limits.
-
Global IT spending set to hit a 30-year high by end of 2025News Spending on hardware, software and IT services is growing faster than it has since 1996
-
Microsoft Teams is getting a new location tracking feature that lets bosses snoop on staff – research shows it could cause workforce pushbackNews A new location tracking feature in Microsoft Teams will make it easier to keep tabs on your colleague's activities – and for your boss to know exactly where you are.
-
Cyber budget cuts are slowing down, but that doesn't mean there's light on the horizon for security teamsNews A new ISC2 survey indicates that both layoffs and budget cuts are on the decline
-
NCSC issues urgent warning over growing AI prompt injection risks – here’s what you need to knowNews Many organizations see prompt injection as just another version of SQL injection - but this is a mistake
-
Chinese hackers are using ‘stealthy and resilient’ Brickstorm malware to target VMware servers and hide in networks for months at a timeNews Organizations, particularly in the critical infrastructure, government services, and facilities and IT sectors, need to be wary of Brickstorm
-
AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals — and teams at Amazon are already seeing huge gainsNews AWS CISO Amy Herzog thinks AI agents will be a ‘boon’ for cyber professionals, and the company has already unlocked significant benefits from the technology internally.
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
