NCSC confirms active exploitation of severe Microsoft WSUS vulnerability (CVE-2025-59287)

A serious security vulnerability in Microsoft Windows Server Update Services (WSUS) — tracked as CVE-2025-59287 — is being actively exploited. Microsoft released initial patches on 14 October (Patch Tuesday) and subsequently issued an out-of-band emergency update on 23 October 2025 to fully address the flaw. National authorities confirm active abuse and the availability of public proof-of-concept code.

Overview

WSUS enables centralized control over Windows updates inside an organization. A deserialization vulnerability allows an unauthenticated remote attacker to execute arbitrary code with SYSTEM privileges on a Windows Server where the WSUS role is enabled and reachable over the network. No user interaction or prior access is required.

WSUS is not enabled by default, but is widely used in managed environments. Unpatched WSUS servers are at high risk and can serve as a pivot for broader compromise.

CVE Details

CVE: CVE-2025-59287
Severity: Critical (CVSS 9.8)
Attack Vector: Network (remote)
Privileges Required: None
User Interaction: None
Impact: Remote Code Execution with SYSTEM privileges
Status: Active exploitation; public PoC available

Microsoft advisory: MSRC – CVE-2025-59287

Affected Windows Server Versions

Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022
Windows Server 2022, 23H2 Edition (Server Core)
Windows Server 2025

How to Check If You Are Vulnerable

Confirm the WSUS Role is Installed
Open Server Manager → Manage → Add Roles and Features. If Windows Server Update Services is listed as installed, the server could be affected.
Verify Network Exposure
Ensure WSUS is not reachable from the public internet. By default, WSUS uses ports 8530 (HTTP) and 8531 (HTTPS). Restrict access to trusted internal networks only.

Confirm the Out-of-Band Patch Is Installed
Identify the specific KB for your OS version on the MSRC page above, then verify installation. Examples:

# PowerShell (Get-HotFix)
Get-HotFix | Where-Object {$_.HotFixID -in @('KB<YourVersionSpecificKB>')}

# Or, search all installed hotfixes for recent security updates (by date)
Get-HotFix | Where-Object {$_.InstalledOn -ge (Get-Date '2025-10-23')}

# Alternative (packages list)
Get-WindowsPackage -Online | Where-Object {$_.PackageName -match 'KB<YourVersionSpecificKB>'}

If the required KB is not present, you are still vulnerable and must install the emergency update.

Audit for Signs of Exploitation
Review logs for suspicious WSUS activity, unexpected SYSTEM-level processes, new services or scheduled tasks, and unusual outbound connections from the WSUS host.

Recommended Actions

Apply Microsoft’s out-of-band update immediately. Use Windows Update or download from the MSRC Security Update Guide.
Restrict exposure. Keep WSUS internal-only; do not publish it to the internet. Enforce firewall rules and authentication on management interfaces.
Harden WSUS. Use HTTPS (port 8531), disable legacy protocols, and apply least-privilege to service accounts and administration.
Monitor continuously. Given active exploitation and public PoC, enable alerting for abnormal WSUS traffic and SYSTEM-level changes.
Review patch governance. Validate patch success, maintain an inventory of WSUS hosts, and document remediation steps for audit and compliance.

How BaseFortify Helps

BaseFortify helps organizations identify, prioritize, and remediate vulnerabilities like CVE-2025-59287 by:

Automatically correlating CVEs to your deployed components and versions.
Surfacing vendor advisories and national alerts when active exploitation is detected.
Orchestrating and documenting patch cycles for compliance and resilience.

Get started: create a free BaseFortify account to assess exposure, prioritize actions, and receive targeted guidance for your environment.

SMBs in the Netherlands may be eligible for support via the Digital Trust Center (up to €1,250) for patch management tooling and other cyber resilience measures.