- CISA adds critical WSUS bug CVE-2025-59287 to its KEV catalog
- Microsoft issued the emergency patch after reports of real-world exploits surfaced
- More than 2,800 WSUS servers exposed; agencies must patch by November 14th
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new bug to its catalog of known exploited vulnerabilities (KEV), alerting federal agencies of exploits in the wild and giving them a three-week deadline to fix.
Microsoft recently released an emergency patch to fix a “deserialization of untrusted data” vulnerability found in the Windows Server Update Service (WSUS) – a tool that allows IT administrators to manage patch computers on their networks.
The flaw, tracked as CVE-2025-59287, was given a severity score of 9.8/10 (Critical) as it appears to allow remote code execution (RCE) attacks. It can be abused in low-complexity attacks without user interaction, giving unauthorized, unprivileged threat actors the ability to run malicious code with SYSTEM privileges. In theory, this would allow them to pivot and infect other WSUS servers as well.
Patch Tuesday fixes
The issue was first addressed in October 2025’s Patch Tuesday cumulative update, but since news of real attacks broke, Microsoft also released an emergency fix.
Since then, several security agencies have found evidence that the flaw was exploited in attacks. For example, Huntress saw WSUS instances being attacked through publicly exposed default ports (8530/TCP and 8531/TCP), while Eye Security, on the other hand, saw at least one of its customers breached. In its security advisory, Microsoft still labels the flaw as “exploitation more likely,” “not disclosed,” and “not exploited.”
The Shadowserver Foundation, the Internet monitoring group that tracks the exploitation of various vulnerabilities, claims that there are more than 2,800 WSUS instances with default ports exposed online. Some of them are most likely already patched, so the attack surface is probably a bit smaller than that.
Now, CISA added CVE-2025-59287 to KEV, giving Federal Civilian Executive Branch (FCEB) agencies until November 14 to patch or completely stop using the vulnerable product.
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
