Governance & Risk Management,
Patch Management
Significant Vulnerability in Windows Server Update Services Exposed
Concerns are mounting over the exploitation of a flaw in Windows Server Update Services (WSUS), especially after Microsoft expedited a patch addressing an issue that permits unauthenticated attackers to execute arbitrary code.
Tracked as CVE-2025-59287, the vulnerability stems from the deserialization of untrusted data within WSUS, a product that is no longer actively developed by Microsoft due to a legacy serialization mechanism. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities catalog as of Friday.
Cybersecurity firms, including Eye Security and Palo Alto Networks Unit 42, have reported active exploitation attempts, indicating that thousands of WSUS installations may be exposed online. According to Unit 42, these attacks appear to focus on reconnaissance, which may serve as a precursor to broader network compromises.
An attacker gaining access to a single server could potentially control the entire patch distribution system, facilitating internal supply chain attacks. Justin Moore, senior manager of threat intelligence research at Unit 42, warns that such an attack could lead to malicious software being distributed across all workstations and servers within an organization, masquerading as legitimate Microsoft updates. This transformation of a trusted service into a vector for widespread infection is particularly alarming.
Both the Canadian Center for Cybersecurity and the Australian Cyber Security Centre have also issued alerts about this vulnerability. Initial attempts to mitigate the risk were made through a patch issued on October 15, but this effort was insufficient, allowing a proof of concept published by HawkTrace to gain unintended traction.
In the interim between the flawed initial patch and the subsequent emergency fix, threat actors were quick to exploit the vulnerability. Various attack pathways have been identified, including the misuse of WSUS’s deserialization processes for AuthorizationCookie objects, allowing attackers to send “malicious encrypted cookies” to the GetCookie() endpoint. Additionally, unsafely serialized data could be triggered via the ReportingWebService through the SoapFormatter.
This vulnerability raises significant concerns, particularly because WSUS tends to be overlooked by IT teams, resulting in a “set it and forget it” mentality. Moore emphasizes that WSUS servers should never be exposed to the internet, as these systems are designed for internal patch management, not as public targets.
