Analysis Summary

CISA has issued a critical warning regarding active exploitation of CVE-2025-59287, a remote code execution (RCE) vulnerability in Microsoft’s Windows Server Update Services (WSUS). Carrying a CVSS score of high, the flaw allows unauthenticated attackers to execute arbitrary code with SYSTEM-level privileges over a network, effectively enabling full compromise of IT infrastructures. The issue originates from unsafe deserialization of untrusted data in the WSUS GetCookie() endpoint, where encrypted AuthorizationCookie objects are improperly handled using AES-128-CBC and BinaryFormatter without type validation. While Microsoft addressed the flaw in its October Patch Tuesday, the initial patch was found insufficient, prompting an urgent out-of-band update on October 23, 2025.

The vulnerability affects multiple Windows Server versions (2012 through 2025, including Server Core editions), with specific patches such as KB5070881–KB5070887 released to address the issue. Systems running WSUS roles and exposing ports 8530 or 8531 to the internet are at the highest risk. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, requiring federal agencies to patch by November 14, 2025. The flaw’s low complexity and lack of authentication requirements make it particularly dangerous, as attackers can exploit it remotely without user interaction to gain full administrative control.

Active exploitation was first observed by Eye Security on October 24, 2025, with attacks delivering Base64-encoded .NET payloads that evade logging by using a custom request header (“aaaa”) for execution. The availability of a proof-of-concept (PoC) exploit, publicly released by security researcher Batuhan Er (HawkTrace), has accelerated malicious activity, with attackers using WSUS servers running under the SYSTEM account to deploy malware and conduct lateral movement across networks. Researchers discovered the flaw, which highlights a recurring issue in legacy serialization mechanisms used by WSUS.

To mitigate this critical threat, Microsoft and CISA strongly urge organizations to immediately apply the October 23 patch and reboot affected servers. Those unable to patch should temporarily disable the WSUS role or block inbound traffic on ports 8530/8531 until updates are applied. Additionally, administrators should deploy network monitoring to detect anomalies, such as unusual GetCookie() requests or Base64 payloads, and ensure all Windows Servers are fully updated. Failure to act promptly could allow attackers to weaponize WSUS for malicious update distribution, turning patch management systems into powerful intrusion vectors for advanced persistent threats (APTs) within enterprise and hybrid cloud environments.

Impact

• Gain Access
• Code Execution

Indicators of Compromise

CVE

• CVE-2025-59287

Affected Vendors

Remediation

• mmediately apply the October 23, 2025 out-of-band patch released by Microsoft for all affected Windows Server versions.
• Reboot servers after patch installation to ensure complete mitigation of the vulnerability.
• Identify vulnerable servers by scanning for systems with the WSUS Server Role enabled and open ports 8530 or 8531.
• Restrict network access by blocking inbound traffic to ports 8530 and 8531 at the host or network firewall until systems are fully patched.
• Disable the WSUS role temporarily if immediate patching is not possible to reduce exposure risk.
• Ensure all Windows Servers not just WSUS servers are updated with the latest patches and rebooted post-installation.
• Deploy intrusion detection or monitoring tools to flag suspicious GetCookie() requests, Base64 payloads, or other anomalous WSUS traffic.
• Review and validate WSUS configurations, ensuring that servers are not exposed directly to the internet whenever possible.
• Audit logs for signs of exploitation, including unexpected commands executed via custom headers like “aaaa” or unknown .NET payloads.
• Isolate compromised systems immediately and perform forensic analysis to detect lateral movement or malware deployment.
• Report incidents of exploitation to CISA or relevant national cybersecurity authorities for coordinated response and intelligence sharing.