- CISA adds critical WSUS bug CVE-2025-59287 to its KEV catalog
- Microsoft released emergency patch after real exploit reports released
- More than 2,800 WSUS servers exposed; agencies must update by November 14
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new bug to its catalog of known exploited vulnerabilities (KEVs), warning federal agencies about abuses in the wild and giving them a three-week deadline to patch.
Microsoft recently released an emergency patch to address an “untrusted data deserialization” vulnerability found in Windows Server Update Service (WSUS) – a tool for IT administrators to manage patches on computers within their network.
The flaw, identified as CVE-2025-59287, received a severity score of 9.8/10 (critical), as it apparently allows remote code execution (RCE) attacks. It can be misused in low-complexity attacks without user interaction, giving unauthenticated and unprivileged threat actors the ability to execute malicious code with SYSTEM privileges. In theory, this would allow them to pivot and infect other WSUS servers as well.
Patch Tuesday fixes
The issue was first fixed in the October 2025 Patch Tuesday cumulative update, but since the announcement of real attacks, Microsoft has also released an emergency patch.
Since then, several security agencies have found evidence that the flaw was being exploited in attacks. For example, Huntress has seen WSUS instances attacked via publicly exposed default ports (8530/TCP and 8531/TCP), while Eye Security has seen at least one of its clients successfully hacked. In its security advisory, Microsoft still keeps the flaw labeled as “Exploitation More Likely,” “Not Publicly Disclosed,” and “Not Exploited.”
Shadowserver Foundation, the Internet monitoring group that tracks abuse of various vulnerabilities, says there are more than 2,800 WSUS instances with default ports exposed online. Some of these are probably already fixed, so the attack surface is probably a bit smaller than that.
Now, CISA has added CVE-2025-59287 to KEV, giving federal civilian executive branch (FCEB) agencies until November 14 to update or completely stop using the vulnerable product.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
