- Microsoft releases emergency patch for critical WSUS flaw enabling remote code execution
- CVE-2025-59287 allows unauthenticated attackers to obtain SYSTEM privileges without user interaction
- An out-of-band update has been released after public exploit code was posted online.
Microsoft has released an emergency security patch for Windows Server to fix an apparently abused critical severity flaw.
As part of its latest Patch Tuesday cumulative update (October 14, 2025), Microsoft fixed CVE-2025-59287, an “untrusted data deserialization” flaw found in Windows Server Update Service (WSUS).
WSUS allows IT administrators to manage patched computers within their network. The flaw received a severity score of 9.8/10 (Critical), as it apparently allows remote code execution (RCE) attacks. It can be misused in low-complexity attacks without user interaction, giving unauthenticated and unprivileged threat actors the ability to execute malicious code with SYSTEM privileges. In theory, this would allow them to pivot and infect other WSUS servers as well.
Mitigations and Workarounds
Microsoft has now released an out-of-band (OOB) security update, after spotting publicly available proof-of-concept (PoC) code.
Although the Patch Tuesday update already included a fix for CVE-2025-59287, Microsoft released an out-of-band update to urgently alert administrators and ensure immediate installation once the public exploit becomes available.
“If you have not yet installed the Windows October 2025 Security Update, we recommend that you apply this OOB update instead,” Microsoft explained in a security advisory. “After installing the update, you will need to restart your system.”
There is also a way to mitigate the risk, Microsoft explained, saying that Windows servers without the WSUS server role enabled are not vulnerable. “If the WSUS server role is enabled, the server will become vulnerable if the patch is not installed before the WSUS server role is enabled,” Microsoft explained.
Available workarounds include disabling the WSUS server role or blocking all inbound traffic to ports 8530 and 8531 on the host firewall. In this case, however, Windows endpoints will stop receiving updates.
Microsoft also added that WSUS will no longer show details of sync errors after installing the update, as the feature was temporary initially.
Via BeepComputer
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
The best antivirus for every budget
