Critical WSUS RCE Flaw: CVE-2025-59287

Unauthenticated RCE in WSUS Puts Organizations at Risk

Microsoft patches WSUS RCE flaw letting attackers gain SYSTEM access. Learn how to secure servers and prevent exploitation.

Written By
Ken Underhill
Ken Underhill
Nov 3, 2025
3 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Microsoft issued an out-of-band patch for a critical remote code execution (RCE) flaw, CVE-2025-59287, in the Windows Server Update Services (WSUS) role. 

The vulnerability allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges on affected Windows Server versions, including 2012, 2012 R2, 2016, 2019, 2022, and 2025. 

Microsoft stated in its advisory that “Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.”

From Patch Management to Pivot Point

Windows Server Update Services (WSUS) is a cornerstone of enterprise patch management, enabling organizations to centrally distribute Microsoft updates across endpoints instead of relying on direct internet connections. 

Because WSUS servers run with high privileges and manage updates for all systems, compromising one server can give attackers organization-wide control through this trusted patching channel.

According to Palo Alto Networks researchers, exploitation of CVE-2025-59287 has already been observed targeting WSUS instances exposed to the internet on default ports 8530 (HTTP) and 8531 (HTTPS).

These attacks underscore how critical internal management infrastructure can become an initial entry point for lateral movement if not properly segmented.

Inside the Deserialization Flaw

At the heart of CVE-2025-59287 is an unsafe deserialization flaw within WSUS’s Authorization.EncryptionHelper.DecryptData() method. 

When the service receives an AuthorizationCookie object from a client, it decrypts and deserializes the data using the insecure .NET BinaryFormatter without enforcing strict type validation. 

This allows attackers to craft a malicious gadget chain payload — commonly generated using tools such as ysoserial[.]net — that triggers arbitrary command execution once deserialized.

An unauthenticated adversary can send a specially crafted SOAP request to the /ClientWebService/Client.asmx endpoint, invoking the GetCookie method. 

The payload, encrypted with the hardcoded AES-128-CBC key used by WSUS, is injected into the CookieData field. 

Once decrypted, the BinaryFormatter.Deserialize() call executes the attacker’s payload under the WSUS service context — commonly SYSTEM, providing full local privilege.

Observed exploitation chains reveal the following process sequence:

wsusservice.exe → cmd.exe → cmd.exe → powershell.exe

w3wp.exe → cmd.exe → cmd.exe → powershell.exe

Attackers have used these processes to execute encoded PowerShell commands for reconnaissance, such as whoami, net user /domain, and ipconfig /all, and then exfiltrated results using curl.exe or Invoke-WebRequest to remote servers.

Advertisement

Reduce Your WSUS Attack Surface

To defend against active exploitation of CVE-2025-59287, organizations should act quickly to secure their WSUS environments. 

The following mitigation steps combine immediate patching with network, configuration, and monitoring controls designed to reduce attack surface and limit potential impact if compromise occurs.

  • Apply Microsoft’s patch: Deploy the latest WSUS security update and verify installation across all affected servers.
  • Restrict WSUS network access: Limit ports 8530/8531 to internal clients and management hosts and block all public internet access.
  • Enforce HTTPS-only communication: Require encrypted connections (port 8531) to prevent interception or tampering.
  • Harden server and account permissions: Apply least privilege, audit admin roles, and isolate WSUS from domain controllers or other critical systems.
  • Enable application allowlisting and logging: Use AppLocker or WDAC to restrict code execution and forward detailed WSUS/IIS logs to a centralized SIEM.
  • Monitor for indicators of compromise (IoCs): Hunt for unusual SOAP requests, unexpected activity from wsusservice.exe or PowerShell, and suspicious outbound traffic. 

By implementing these measures, organizations can reduce their exposure to unauthenticated remote code execution attacks targeting WSUS and build cyber resilience.

CVE-2025-59287 underscores the enduring dangers of unsafe deserialization (CWE-502) and the impact of flaws in privileged infrastructure. 

As organizations increasingly depend on automation and centralized management tools, vulnerabilities in platforms like WSUS, SCCM, and Intune can quickly escalate into full-domain compromises. 

The rapid weaponization of this exploit — just days after disclosure — demonstrates how threat actors now target patch management systems as both entry points and attack amplifiers. 

As attacks increasingly exploit trusted systems from within, adopting a zero-trust architecture becomes critical to ensuring every connection and request is verified.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and technology leader with more than 25 years of experience in IT, cybersecurity, and risk management. His career spans network administration, incident response, penetration testing, and entrepreneurship, giving him firsthand experience helping organizations reduce risk and ensure compliance. Ken is also a former nurse and combat medic and he uses this background to break down complex cybersecurity topics into digestible content for a broad, global audience. A multi-exit cybersecurity founder, Ken has spent decades helping organizations strengthen their security posture, manage risk, and navigate complex technology challenges. His expertise includes overall cybersecurity strategy, cloud security, incident response, risk management, security awareness, and emerging threats affecting businesses. Ken is also an advisor to multiple startups on AI security and risk. In addition to his hands-on industry experience, Ken is a cybersecurity newsletter writer for TechnologyAdvice, where he covers cybersecurity news/trends and actionable best practices for business and IT professionals. Ken is also an educator with over 2 million people going through his courses over the years. He has won the Global Cybersecurity 40 under 40 (2x winner), the Cyber Champion award from Women's Society of Cyberjutsu, and the 2019 SC Media award for Outstanding Educator. Ken is also a volunteer with organizations like Minorities in Cybersecurity, Black Girls Hack, and the Whole Cyber Human Initiative, which helps veterans transition into security careers. Ken holds a Master of Science in Cybersecurity and Information Assurance from Western Governors University and a Bachelor of Science in Information Systems, with a major in Cybersecurity Management, from Strayer University. His certifications include the Certificate of Cloud Security Knowledge (CCSK), Certified Ethical Hacker (CEH), and Computer Hacking Forensic Investigator (CHFI) and he is a former adjunct professor of Digital Forensics. Ken also had a streaming cybersecurity television show from 2020-2022 that reached over 200K monthly viewers around the world. His work and expertise have been featured in Forbes, Reader's Digest, Medium, TechRepublic, Fox, NBC, CBS, Dark Reading, MSN Money, and other leading publications and media outlets, making him a trusted voice on cybersecurity, election security, and privacy.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.