- Microsoft issues emergency patch for a critical WSUS flaw enabling remote code execution
- CVE-2025-59287 allows unauthenticated attackers to gain SYSTEM privileges without user interaction
- An out-of-band update was released after public exploit code surfaced online
Microsoft has issued an emergency Windows server security patch to fix a critical severity flaw apparently abused in the wild.
As part of its most recent Patch Tuesday cumulative update (October 14, 2025), Microsoft addressed CVE-2025-59287, a “deserialization of untrusted data” flaw found in Windows Server Update Service (WSUS).
WSUS allows IT admins to manage patching computers within their network. The flaw was given a severity score of 9.8/10 (critical), as it apparently allows for remote code execution (RCE) attacks. It can be abused in low-complexity attacks, without user interaction, granting unauthenticated, unprivileged threat actors the ability to run malicious code with SYSTEM privileges. In theory, it would allow them to pivot and infect other WSUS servers, too.
Mitigations and workarounds
Microsoft has now released an out-of-band (OOB) security update, after spotting publicly available proof-of-concept (PoC) code.
Although the Patch Tuesday update already included a fix for CVE-2025-59287, Microsoft issued an out-of-band update to urgently alert administrators and ensure immediate installation after the public exploit became available.
“If you haven’t installed the October 2025 Windows security update yet, we recommend you apply this OOB update instead,” Microsoft explained in a security advisory. “After you install the update you will need to reboot your system.”
There is also a way to mitigate the risk, Microsoft explained, saying that Windows servers without the WSUS server role enabled are not vulnerable. “If the WSUS server role is enabled, the server will become vulnerable if the fix is not installed before the WSUS server role is enabled,” Microsoft explained.
Available workarounds include disabling the WSUS Server Role, or blocking all inbound traffic to ports 8530 and 8531 on the host firewall. In that case, though, Windows endpoints will stop receiving updates.
Microsoft also added WSUS will no longer show synchronization error details after installing the update, since the functionality was temporary in the first place.
Via BleepingComputer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
The best antivirus for all budgets
