SOC Advisory – Critical Windows Server Remote Code Execution Vulnerability – 28 October 2025

Overview

CVE: CVE-2025-59287
Severity: Critical
Date: 28 October 2025

Microsoft has released out-of-band emergency updates to fix a critical Remote Code Execution (RCE) vulnerability in Windows Server Update Service (WSUS). The flaw can be exploited remotely without authentication or user interaction, allowing attackers to execute arbitrary code with SYSTEM privileges.

A publicly available proof-of-concept exploit makes this vulnerability particularly high-risk. Microsoft has confirmed potential wormable behaviour between WSUS servers.

Affected Versions

Vulnerable only when WSUS Server Role is enabled.

• Windows Server 2025 – KB5070881
• Windows Server 23H2 – KB5070879
• Windows Server 2022 – KB5070884
• Windows Server 2019 – KB5070883
• Windows Server 2016 – KB5070882
• Windows Server 2012 R2 – KB5070886
• Windows Server 2012 – KB5070887

Vulnerability Breakdown

CVE-2025-59287 — WSUS Remote Code Execution

• Type: Remote Code Execution
• Severity: Critical
• CVSS Score: 9.8
• Description: A remote unauthenticated attacker could send crafted events to trigger unsafe object deserialisation, resulting in SYSTEM-level code execution on vulnerable servers.
• Impact: Full remote compromise, privilege escalation, and potential wormable propagation between WSUS instances.

Mitigation

• Apply Microsoft’s out-of-band updates immediately (see KB links above).
• If patching cannot occur immediately:
  • Disable the WSUS Server Role, or
  • Block inbound traffic to Ports 8530 and 8531 on the firewall to render WSUS non-operational.
• Note: Disabling or isolating WSUS will prevent endpoints from receiving updates until patched.
• Reboot servers after applying the update to complete mitigation.
• Restrict inbound/outbound SSH and WSUS traffic to only essential management systems.

Summary for IT Teams

• Products: Windows Server Update Service (WSUS)
• Threat Level: Critical
• Action Required:
  • Patch immediately using emergency updates.
  • Disable WSUS or block ports 8530/8531 if patching is delayed.
  • Audit for unusual WSUS event traffic.
  • Limit WSUS exposure to internal networks only.

Reference

• Microsoft MSRC
• Bleeping Computer

Need Help?

If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.