424/68 Monday, October 27, 2025
Microsoft has released an out-of-band security update to fix a severe vulnerability in Windows Server Update Services (WSUS), tracked as CVE-2025-59287 with a CVSS score of 9.8. The flaw – a deserialization of untrusted data – allows a remote attacker to send a specially crafted cookie to the GetCookie() endpoint that contains malicious code, enabling immediate execution of commands with SYSTEM privileges. The issue stems from use of the insecure BinaryFormatter (which Microsoft has removed in .NET 9 due to security concerns).
The patch covers multiple Windows Server versions, including 2012, 2012 R2, 2016, 2019, 2022 (including 23H2 Server Core) and 2025. Administrators are required to reboot servers after installing the update. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog. Security researchers and vendors such as Hawktrace, Eye Security, and Huntress have confirmed active exploitation, with available proof-of-concept (PoC) code and advanced payloads that hide commands using Base64 and ysoserial.net gadget chains to evade detection.
Analysis from researchers shows attackers employ advanced techniques – for example, issuing commands through cmd.exe and PowerShell to retrieve additional payloads – and scanning for WSUS endpoints exposed on public ports 8530/8531 to achieve remote code execution and exfiltrate data via external webhooks. Although exploitation may be limited because WSUS is not commonly exposed to the public internet, experts strongly urge immediate patching. They also recommend reviewing WSUS access logs for suspicious activity, discontinuing use of BinaryFormatter, and implementing proper input validation to mitigate further risk.
