- Microsoft issues an emergency patch for a critical WSUS bug that allows remote code execution
- CVE-2025-59287 allows unauthorized attackers to gain SYSTEM privileges without user interaction
- An out-of-band update was released after public exploit code surfaced online
Microsoft has issued an emergency security patch for Windows Server to fix a Critical Severity bug that appears to have been exploited in the wild.
As part of its latest Patch Tuesday cumulative update (October 14, 2025), Microsoft addressed CVE-2025-59287, a “deserialization of untrusted data” flaw found in the Windows Server Update Service (WSUS).
WSUS allows IT administrators to manage patch computers on their network. The flaw was given a severity score of 9.8/10 (Critical) as it apparently allows for remote code execution (RCE) attacks. It can be abused in low-complexity attacks without user interaction, giving unauthorized, unprivileged threat actors the ability to run malicious code with SYSTEM privileges. In theory, this would allow them to pivot and infect other WSUS servers as well.
Remedies and solutions
Microsoft has now released an out-of-band (OOB) security update after discovering publicly available proof-of-concept (PoC) code.
Although the Patch Tuesday update already included a fix for CVE-2025-59287, Microsoft released an out-of-band update to quickly alert administrators and ensure immediate installation after the public exploit became available.
“If you have not yet installed the Windows October 2025 Security Update, we recommend that you apply this OOB update instead,” Microsoft explained in a security advisory. “After installing the update, please reboot your system.”
There is also a way to mitigate the risk, Microsoft explained, saying that Windows servers without the WSUS server role enabled are not vulnerable. “If the WSUS server role is enabled, the server will be vulnerable if the patch is not installed before the WSUS server role is enabled,” Microsoft explained.
Available solutions include disabling the WSUS server role or blocking all incoming traffic to ports 8530 and 8531 on the host firewall. However, in that case, Windows endpoints will stop receiving updates.
Microsoft also added that WSUS no longer displays sync error details after installing the update, as the functionality was temporary in the first place.
Via Bleeping Computer
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
The best antivirus for all budgets
