CISA Alerts: Ongoing Exploitation of RCE Vulnerability in Windows Server Update Services by Hackers

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has alerted organizations globally regarding active exploitation of a significant remote code execution (RCE) flaw in Microsoft’s Windows Server Update Services (WSUS).

Categorized as CVE-2025-59287, this vulnerability holds a CVSS rating of 9.8, enabling unverified attackers to execute arbitrary code with elevated privileges over a network, which could jeopardize entire IT infrastructures.

This flaw, which arises from unsafe deserialization of distrustful data in WSUS, was partly mitigated in Microsoft’s October Patch Tuesday but necessitated an urgent out-of-band update issued on October 23, 2025, after the initial remedy was proven inadequate.​

The menace is escalating rapidly, with security firms reporting actual attacks as soon as October 24, 2025. The Dutch cybersecurity company Eye Security identified exploitation attempts at 06:55 a.m. UTC that day, involving a Base64-encoded .NET payload engineered to circumvent logging by executing commands through a custom request header labeled ‘aaaa’.

Proof-of-concept (PoC) exploits, unveiled just days earlier by researcher Batuhan Er of HawkTrace, have boosted malicious activities, enabling attackers to target WSUS servers executing under the SYSTEM account.

CISA’s inclusion of CVE-2025-59287 in its Known Exploited Vulnerabilities (KEV) Catalog mandates federal agencies to apply patches by November 14, 2025, emphasizing the flaw’s high exploitability and low complexity; no user interaction or authentication is necessary.​

Organizations depending on WSUS for centralized patch management face significant risks, as a successful breach could permit hackers to distribute malicious updates across interconnected devices.

The subsequent systems are affected:

This vulnerability exploits an outdated serialization mechanism in the GetCookie() endpoint, where encrypted AuthorizationCookie objects are decrypted utilizing AES-128-CBC and deserialized via BinaryFormatter without type validation, paving the way for complete system compromise.

Security researchers from CODE WHITE GmbH, including Markus Wulftange, along with independent specialists MEOW and f7d8c52bec79e42795cf15888b85cbad, initially detected the issue, crediting their contributions in Microsoft’s advisory.​

Microsoft has affirmed that servers without the WSUS Server Role activated remain unaffected, but for those with it enabled, particularly those exposing ports 8530 or 8531 to the internet, the risks are severe.

Initial signs indicate that attackers are utilizing the PoC to deploy malware, with the possibility of extensive lateral movement within enterprise environments.

Mitigations

CISA and Microsoft advocate for prompt action to mitigate the threat. Firstly, pinpoint vulnerable servers by scanning for those with the WSUS role enabled and open ports 8530/8531.

Implement the out-of-band patch from October 23 immediately, then restart to confirm complete mitigation. Postponing this could expose networks to unauthenticated RCE.

For those unable to patch immediately, temporary measures include disabling the WSUS role or obstructing inbound traffic to the affected ports at the host firewall; these should not be reversed until the update is applied.​

Beyond WSUS servers, organizations must update all remaining Windows Servers and restart them following installation. Monitoring tools should be established to identify irregular WSUS traffic, such as atypical GetCookie() requests or Base64 payloads.

Experts caution that unpatched systems could act as gateways for advanced persistent threats, amplifying damage in hybrid cloud environments.