- Microsoft issues emergency patch for critical WSUS flaw that allows remote code execution
- CVE-2025-59287 allows unauthenticated attackers to obtain SYSTEM privileges without user interaction
- Out-of-band update released after public exploit code appeared online
Microsoft has issued an emergency security patch for Windows Server to fix a critical severity flaw that is apparently being abused.
As part of its most recent cumulative update on Patch Tuesday (October 14, 2025), Microsoft addressed CVE-2025-59287, an “untrusted data deserialization” flaw found in the Windows Server Update Service (WSUS).
WSUS allows IT administrators to manage patching of computers within their network. The flaw received a severity score of 9.8/10 (critical) as it apparently enables remote code execution (RCE) attacks. It can be abused in low complexity attacks, without user interaction, giving unauthenticated and unprivileged threat actors the ability to execute malicious code with SYSTEM privileges. In theory, it would allow them to pivot and infect other WSUS servers as well.
Mitigations and solutions
Microsoft has released an out-of-band (OOB) security update, after detecting publicly available proof-of-concept (PoC) code.
Although Patch Tuesday’s update already included a fix for CVE-2025-59287, Microsoft issued an out-of-band update to urgently alert administrators and ensure immediate installation after the public exploit became available.
“If you have not yet installed the Windows October 2025 security update, we recommend that you apply this OOB update,” Microsoft explained in a security advisory. “After installing the update, you will need to reboot your system.”
There is also a way to mitigate the risk, Microsoft explained, saying that Windows servers without the WSUS server role enabled are not vulnerable. “If the WSUS Server role is enabled, the server will become vulnerable if the fix is not installed before the WSUS Server role is enabled,” Microsoft explained.
Available workarounds include disabling the WSUS server feature or blocking all incoming traffic to ports 8530 and 8531 on the host’s firewall. However, in that case, Windows endpoints will stop receiving updates.
Microsoft also added that WSUS will no longer display sync error details after installing the update, as the functionality was temporary in the first place.
Through beepcomputer
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
The best antivirus for all budgets
