Everybody's warning about critical Windows Server WSUS bug exploits ... but Microsoft's mum
(2025/10/25)
- Reference: 1761345773
- News link: https://www.theregister.co.uk/2025/10/24/exploitation_of_critical_windows_server/
- Source link:
Governments and private security sleuths warned that attackers are already exploiting a critical bug in Microsoft Windows Server Update Services, shortly after Redmond pushed an emergency patch for the remote code execution (RCE) vulnerability.
Plus, there's at least one [1]proof-of-concept attack floating around in cyberspace, and it only takes one specially crafted request to exploit the bug for full system takeover - so we know what Microsoft admins are doing this weekend.
The vulnerability, tracked as [2]CVE-2025-59287 and serious enough to receive a 9.8 out of 10 CVSS score, affects Windows Server versions 2012 through 2025. It stems from insecure deserialization of untrusted data and allows unauthenticated attackers to execute arbitrary code on vulnerable systems. And servers without the Windows Server Update Services (WSUS) role enabled aren't affected.
[3]
Microsoft initially [4]issued a fix for CVE-2025-59287 on October 14 - Patch Tuesday - but it didn't fully patch the security hole, and late Thursday Redmond [5]pushed an emergency update .
[6]
[7]
But that second patch might not be foolproof, either. Security researcher Kevin Beaumont [8]said he poked holes in the out-of-band update in the lab, and after achieving remote code execution, "I was able to tamper with the updates offered to the clients and push out malicious updates to said clients ... I don't want to detail too much to prevent ransomware groups going nuts, but you can lift prior research and adapt it easily to add fake updates for clients."
Later, he added: "For bonus points you can set the deadline date on WSUS for your payload as in the past, and clients will instantly install it. Or set it at, say, 2pm and every client will sit on it until 2pm and then install at the same time."
[9]
On Friday, the US Cybersecurity and Infrastructure Security Agency [10]added CVE-2025-59287 to its Known Exploited Vulnerabilities catalog, and the Dutch National Cybersecurity Center [11]reportedly issued an alert about exploitation activity.
Exploitation of this flaw is indiscriminate. If an unpatched WSUS instance is online, at this stage it has likely already been compromised
Microsoft declined to answer The Register 's exploitation-related questions, and at the time of publication, the [12]security update for CVE-2025-59287 still listed the bug as not exploited, with no public exploit code in the wild - although we'd assume Redmond will have to update both of these soon.
"We re-released this CVE after identifying that the initial update did not fully mitigate the issue," a Microsoft spokesperson told The Register . "Customers who have installed the latest updates are already protected."
Meanwhile, private security firms including Huntress and watchTowr warned attackers had already begun abusing the flaw.
"Starting around 2025-10-23 23:34 UTC, Huntress observed threat actors targeting WSUS instances publicly exposed on their default ports (8530/TCP and 8531/TCP) to exploit a deserialization vulnerability via the AuthorizationCookie (CVE-2025-59287)," Huntress researchers [13]said .
[14]
Exploitation activity included using the HTTP worker process and WSUS service binary to run Command Prompt and PowerShell, and then using PowerShell to scan servers for sensitive network and user information, and then transferring this data via a remote webhook.
The attackers used proxy networks for these attacks, which made exploitation more difficult to detect.
[15]Microsoft drops surprise Windows Server patch before weekend downtime
[16]Frightful Patch Tuesday gives admins a scare with 175+ Microsoft CVEs, 3 under attack
[17]Microsoft kills 9.9-rated ASP.NET Core bug – 'our highest ever' score
[18]Sneaky Mermaid attack in Microsoft 365 Copilot steals data
It's worth noting that the threat hunters said they spotted fewer than 25 susceptible hosts, as WSUS is not often exposing ports 8530 and 8531. "We expect exploitation of CVE-2025-59287 to be limited," the Huntress researchers wrote.
WatchTowr CEO Benjamin Harris, however, had a slightly different take on the likelihood of mass exploitation - and strong words for anyone exposing WSUS to the public internet.
"Exploitation of this flaw is indiscriminate. If an unpatched WSUS instance is online, at this stage it has likely already been compromised," he told The Register .
"There really is no legitimate reason in 2025 to have WSUS accessible from the Internet - any organization in that situation likely needs guidance to understand how they ended up in this position," he added. "We've observed exposure in 8,000+ instances, including extremely sensitive, high-value organizations ... some of the affected entities are exactly the types of targets attackers prioritize." ®
Get our [19]Tech Resources
[1] https://hawktrace.com/blog/CVE-2025-59287
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-59287
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aPxLV13L8mit-q54wJgvcAAAARc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.theregister.com/2025/10/14/microsoft_october_2025_patch_tuesday/
[5] https://www.theregister.com/2025/10/24/windows_server_patch/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aPxLV13L8mit-q54wJgvcAAAARc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aPxLV13L8mit-q54wJgvcAAAARc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://cyberplace.social/@GossiTheDog/115430147992307420
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aPxLV13L8mit-q54wJgvcAAAARc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[11] https://www.linkedin.com/feed/update/urn:li:activity:7387478654190104576/
[12] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
[13] https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aPxLV13L8mit-q54wJgvcAAAARc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://www.theregister.com/2025/10/24/windows_server_patch/
[16] https://www.theregister.com/2025/10/14/microsoft_october_2025_patch_tuesday/
[17] https://www.theregister.com/2025/10/16/microsoft_aspnet_core_vulnerability/
[18] https://www.theregister.com/2025/10/24/m365_copilot_mermaid_indirect_prompt_injection/
[19] https://whitepapers.theregister.com/
Plus, there's at least one [1]proof-of-concept attack floating around in cyberspace, and it only takes one specially crafted request to exploit the bug for full system takeover - so we know what Microsoft admins are doing this weekend.
The vulnerability, tracked as [2]CVE-2025-59287 and serious enough to receive a 9.8 out of 10 CVSS score, affects Windows Server versions 2012 through 2025. It stems from insecure deserialization of untrusted data and allows unauthenticated attackers to execute arbitrary code on vulnerable systems. And servers without the Windows Server Update Services (WSUS) role enabled aren't affected.
[3]
Microsoft initially [4]issued a fix for CVE-2025-59287 on October 14 - Patch Tuesday - but it didn't fully patch the security hole, and late Thursday Redmond [5]pushed an emergency update .
[6]
[7]
But that second patch might not be foolproof, either. Security researcher Kevin Beaumont [8]said he poked holes in the out-of-band update in the lab, and after achieving remote code execution, "I was able to tamper with the updates offered to the clients and push out malicious updates to said clients ... I don't want to detail too much to prevent ransomware groups going nuts, but you can lift prior research and adapt it easily to add fake updates for clients."
Later, he added: "For bonus points you can set the deadline date on WSUS for your payload as in the past, and clients will instantly install it. Or set it at, say, 2pm and every client will sit on it until 2pm and then install at the same time."
[9]
On Friday, the US Cybersecurity and Infrastructure Security Agency [10]added CVE-2025-59287 to its Known Exploited Vulnerabilities catalog, and the Dutch National Cybersecurity Center [11]reportedly issued an alert about exploitation activity.
Exploitation of this flaw is indiscriminate. If an unpatched WSUS instance is online, at this stage it has likely already been compromised
Microsoft declined to answer The Register 's exploitation-related questions, and at the time of publication, the [12]security update for CVE-2025-59287 still listed the bug as not exploited, with no public exploit code in the wild - although we'd assume Redmond will have to update both of these soon.
"We re-released this CVE after identifying that the initial update did not fully mitigate the issue," a Microsoft spokesperson told The Register . "Customers who have installed the latest updates are already protected."
Meanwhile, private security firms including Huntress and watchTowr warned attackers had already begun abusing the flaw.
"Starting around 2025-10-23 23:34 UTC, Huntress observed threat actors targeting WSUS instances publicly exposed on their default ports (8530/TCP and 8531/TCP) to exploit a deserialization vulnerability via the AuthorizationCookie (CVE-2025-59287)," Huntress researchers [13]said .
[14]
Exploitation activity included using the HTTP worker process and WSUS service binary to run Command Prompt and PowerShell, and then using PowerShell to scan servers for sensitive network and user information, and then transferring this data via a remote webhook.
The attackers used proxy networks for these attacks, which made exploitation more difficult to detect.
[15]Microsoft drops surprise Windows Server patch before weekend downtime
[16]Frightful Patch Tuesday gives admins a scare with 175+ Microsoft CVEs, 3 under attack
[17]Microsoft kills 9.9-rated ASP.NET Core bug – 'our highest ever' score
[18]Sneaky Mermaid attack in Microsoft 365 Copilot steals data
It's worth noting that the threat hunters said they spotted fewer than 25 susceptible hosts, as WSUS is not often exposing ports 8530 and 8531. "We expect exploitation of CVE-2025-59287 to be limited," the Huntress researchers wrote.
WatchTowr CEO Benjamin Harris, however, had a slightly different take on the likelihood of mass exploitation - and strong words for anyone exposing WSUS to the public internet.
"Exploitation of this flaw is indiscriminate. If an unpatched WSUS instance is online, at this stage it has likely already been compromised," he told The Register .
"There really is no legitimate reason in 2025 to have WSUS accessible from the Internet - any organization in that situation likely needs guidance to understand how they ended up in this position," he added. "We've observed exposure in 8,000+ instances, including extremely sensitive, high-value organizations ... some of the affected entities are exactly the types of targets attackers prioritize." ®
Get our [19]Tech Resources
[1] https://hawktrace.com/blog/CVE-2025-59287
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-59287
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aPxLV13L8mit-q54wJgvcAAAARc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[4] https://www.theregister.com/2025/10/14/microsoft_october_2025_patch_tuesday/
[5] https://www.theregister.com/2025/10/24/windows_server_patch/
[6] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aPxLV13L8mit-q54wJgvcAAAARc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aPxLV13L8mit-q54wJgvcAAAARc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[8] https://cyberplace.social/@GossiTheDog/115430147992307420
[9] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aPxLV13L8mit-q54wJgvcAAAARc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[10] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[11] https://www.linkedin.com/feed/update/urn:li:activity:7387478654190104576/
[12] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
[13] https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
[14] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_specialfeatures/cybersecuritymonth&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aPxLV13L8mit-q54wJgvcAAAARc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[15] https://www.theregister.com/2025/10/24/windows_server_patch/
[16] https://www.theregister.com/2025/10/14/microsoft_october_2025_patch_tuesday/
[17] https://www.theregister.com/2025/10/16/microsoft_aspnet_core_vulnerability/
[18] https://www.theregister.com/2025/10/24/m365_copilot_mermaid_indirect_prompt_injection/
[19] https://whitepapers.theregister.com/
There wasn't any valid reason in 2002 either..
BinkyTheMagicPaperclip
Been a while since I maintained WSUS, would have been up to 2010 at the latest but it was never exposed to the Internet. Neither was any other domain service.
You could sort of get away with less than optimal security configuration until the late 90s, after that you took your life into your hands. I miss some of the sysadmin side, I definitely don't miss securing networks - complex, difficult, and thankless.
NapTime ForTruth
Critical 9.8-rated vulnerability in a Microsoft product or service, you say? Microsoft silent on the topic, you say? How very...rare. And unusual, too. Most shocking, to be sure.
It's almost like they don't care, or maybe they don't understand what's happening.
Maybe they'll consult with a technology company for more information, or check in with their completely reliable and totally trustworthy AI to solve this dilemma. Or is it a conundrum? Maybe the AI will cover that, too.
Regardless, best of luck to them in their future endeavors.
Soooo...
One company says they found 25 exposed, the other 8000+?
Also how many are honeypots?
I can't think of a single reason to have a WSUS server with those ports open facing outwards.