- CISA adds critical WSUS bug CVE-2025-59287 to its KEV catalog
- Microsoft issued emergency patch after reports of real-world exploitation emerged
- More than 2800 WSUS servers exposed; agencies must patch by November 14
The US Cybersecurity and Infrastructure Security Agency (CISA) added a new bug to its catalog of known exploited vulnerabilities (KEV), warning federal agencies about abuses in the wild and giving them three weeks to fix it.
Microsoft recently released an emergency patch to fix an “untrusted data deserialization” vulnerability found in Windows Server Update Service (WSUS), a tool that allows IT administrators to manage patches on computers within their network.
The flaw, tracked as CVE-2025-59287, received a severity score of 9.8/10 (critical), as it apparently allows remote code execution (RCE) attacks. It can be abused in low complexity attacks, without user interaction, giving unauthenticated and unprivileged threat actors the ability to execute malicious code with SYSTEM privileges. In theory, it would allow them to pivot and infect other WSUS servers as well.
Patch Tuesday Fixes
The issue was first addressed in the October 2025 Patch Tuesday cumulative update, but since news of real-life attacks broke, Microsoft has also released an emergency fix.
Since then, several security agencies have found evidence that the flaw was being exploited in attacks. For example, Huntress saw WSUS instances attacked via publicly exposed default ports (8530/TCP and 8531/TCP), while Eye Security, on the other hand, saw at least one of its clients successfully breached. In its security advisory, Microsoft still keeps the flaw labeled as “most likely to be exploited,” “not publicly disclosed,” and “not exploited.”
Shadowserver Foundation, the Internet monitoring group that tracks abuse of various vulnerabilities, says there are more than 2,800 WSUS instances with default ports exposed online. Some of them are most likely already patched, so the attack surface is probably a bit smaller than that.
Now, CISA has added CVE-2025-59287 to KEV, giving Federal Civil Executive Branch (FCEB) agencies until November 14 to patch or stop using the vulnerable product entirely.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
