Ddos 
Microsoft has recently issued an emergency security update for enterprise Windows Server Update Services (WSUS) to address a critical vulnerability, CVE-2025-59287, which carries a CVSS score of 9.8. The flaw already has a public proof-of-concept (PoC) and is being actively exploited by threat actors in the wild.
The vulnerability stems from an improper deserialization of untrusted data within WSUS, allowing unauthenticated attackers to execute arbitrary code over the network. Notably, this flaw affects only systems with the WSUS server role enabled—servers without this role remain unaffected.
In a plausible attack scenario, a remote, unauthenticated adversary could send specially crafted events that exploit insecure object deserialization in WSUS’s legacy serialization mechanism. This could lead to remote code execution (RCE) with SYSTEM-level privileges, effectively granting full control over the affected system.
In its advisory, Microsoft stated:
“This is a cumulative update, so you do not need to apply any previous updates before installing this update, as it supersedes all previous updates for affected versions. If you haven’t installed the October 2025 Windows security update yet, we recommend you apply this OOB update instead. After you install the update you will need to reboot your system.”
The patched operating systems include: Windows Server 2012 / 2012 R2 / 2016 / 2019 / 2022 / 23H2 (Core Installation) / and 2025.
For systems unable to immediately apply the update, Microsoft recommends the following mitigation measures:
- Disable the WSUS server role if it is currently enabled.
- Block inbound traffic on firewall ports 8530 and 8531 (outbound traffic does not require restriction).
- Do not reverse these mitigations until the patch has been successfully installed.
The Netherlands National Cyber Security Centre (NCSC) reported that, according to trusted partners, exploitation of CVE-2025-59287 began on October 24, 2025.
Security firm Eye Security, which first detected the attacks, stated that exploitation activity was observed at 06:55 UTC+0 on October 24, when attackers deployed a Base64-encoded payload targeting an unnamed client organization.
It is worth noting that a PoC exploit for this vulnerability was published around October 22, just two days prior to the first wave of attacks—an unsurprising timeline that underscores the urgency behind Microsoft’s decision to release an immediate patch.
Related Posts:
- Critical WSUS Flaw (CVE-2025-59287, CVSS 9.8) Allows Unauthenticated RCE via Unsafe Cookie Deserialization, PoC Available
- Windows Server Update Services Deprecation: What It Means for Your Update Strategy
- Microsoft Extends Microsoft 365 Support on Windows 10 Until 2028
- NVIDIA Extends Windows 10 Driver Support to October 2026, Offering Gamers a One-Year Reprieve
- Microsoft Access 2016/2019 Is Nearing End-of-Life
Donate