Microsoft has taken a second shot at addressing a critical Windows Server vulnerability that a previous update didn't fully fix – and that's now being exploited in the wild.
The vulnerability, tracked as CVE-2025-59287, affects Windows Server Update Service (WSUS) in Windows Server (2012, 2016, 2019, 2022, and 2025).
WSUS is a component of the Windows Server operating system that is designed to simplify the management and distribution of Microsoft product updates and patches.
Instead of each PC handling this individually, WSUS downloads the updates and stores them, and then distributes them to all computers on the network.
However, a recent vulnerability allowed for insecure deserialization of untrusted data, which security experts have warned allows unauthenticated attackers to execute arbitrary code.
"CVE-2025-59287 is a critical RCE vulnerability in Microsoft Windows Server Update Services (WSUS), caused by unsafe deserialization of AuthorizationCookie data through BinaryFormatter in the EncryptionHelper.DecryptData() method," said Hawktrace.
"The vulnerability allows an unauthenticated attacker to achieve remote code execution with SYSTEM privileges by sending malicious encrypted cookies to the GetCookie() endpoint."
The company first issued a fix earlier this month. However, since then, security researchers, including Dutch cybersecurity firm Eye Security, said they have spotted exploitation of the flaw in the wild.
"A few days after the public release of the CVE and the blog by HawkTrace, we are now observing active & successful exploitation targeting Windows Server Update Services (WSUS) world-wide, including our customer base," the firm said.
“Our telemetry shows scanning and exploitation attempts from 207.180.254[.]242,and our scans reveal roughly 2,500 WSUS servers still exposed world-wide, including about 100 in the Netherlands and 250 in Germany."
Meanwhile, Huntress also said it has spotted attacks targeting WSUS instances with their default ports (8530/TCP and 8531/TCP) exposed online.
"We expect exploitation of CVE-2025-59287 to be limited; WSUS is not often exposing ports 8530 and 8531. Across our partner base, we have observed ~25 hosts susceptible."
Windows Server flaw prompts CISA advisory
Warnings have been issued by the Netherlands National Cyber Security Centre (NCSC-NL) and the US Cybersecurity and Infrastructure Security Agency (CISA).
"CISA strongly urges organizations to implement Microsoft’s updated Windows Server Update Service (WSUS) Remote Code Execution Vulnerability guidance, or risk an unauthenticated actor achieving remote code execution with system privileges," CISA said in an advisory.
Organizations are advised to identify servers that are currently configured to be vulnerable to exploitation - i.e., those with WSUS Server Role enabled and ports open to 8530/8531 – and deal with these first.
They should apply the out-of-band security update released on 23 October to all servers identified, and then reboot. If they can't apply the update immediately, system administrators should disable the WSUS Server Role and/or block inbound traffic to ports 8530/8531, the default listeners for WSUS, at the host firewall.
"Of note, do not undo either of these workarounds until after your organization has installed the update," CISA said.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
- Why firms ignore vulnerabilities at their own risk
- Threat actors are exploiting flaws more quickly – here's what business leaders should do
- Patch management vs vulnerability management
-
Hounslow Council partners with Amazon Web Services (AWS) to build resilience and transition away from legacy techSpomsored One of the most diverse and fastest-growing boroughs in London has completed a massive cloud migration project. Supported by AWS, it was able to work through any challenges
-
Salesforce targets better data, simpler licensing to spur Agentforce adoptionNews The combination of Agentforce 360, Data 360, and Informatica is more context for enterprise AI than ever before
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
Microsoft opens up Entra Agent ID preview with new AI featuresNews Microsoft Entra Agent ID aims to help manage influx of AI agents using existing tools
