Microsoft Issues Emergency Patch for Critical Windows Server Bug
Summary
Microsoft has released an out-of-band update to fully address CVE-2025-59287, a critical remote code execution (RCE) vulnerability in Windows Server Update Service (WSUS). The flaw, scored 9.8 by CVSS, results from unsafe deserialization of AuthorizationCookie objects and allows remote attackers to execute code on systems with the WSUS Server Role enabled. Microsoft said the October Patch Tuesday fix was incomplete and reissued a corrected update. Multiple security firms reported active exploitation and CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalogue.
Key Points
- CVE-2025-59287 is a critical RCE in WSUS with a CVSS score of 9.8.
- The initial October Patch Tuesday fix was incomplete; Microsoft re-released an emergency, reworked update.
- Active exploitation has been observed against publicly exposed WSUS instances on ports 8530 and 8531.
- CISA added the vulnerability to its KEV catalogue, signalling high priority for remediation.
- Immediate mitigations: disable the WSUS Server Role if not required and block inbound traffic to ports 8530/8531 on host firewalls.
- Longer-term fixes require replacing BinaryFormatter, enforcing strict type validation and input sanitisation, per technical analysis and PoC research.
Why should I read this?
Quick and blunt: if you’ve got WSUS anywhere in your estate, this is urgent. Attackers are already exploiting the bug and Microsoft had to reissue the patch — so check, patch or apply the quick mitigations now. It’s the sort of vulnerability that can give attackers full control if ignored.
Context and relevance
This matters because WSUS is a central update-management tool for many organisations; a critical RCE there can let attackers move fast and wide inside networks. The public PoC, active exploit reports from multiple vendors, and CISA’s KEV listing raise the likelihood of widespread attacks. Organisations should prioritise inventorying exposed WSUS instances, apply Microsoft’s reissued update immediately, implement the temporary mitigations, and plan for the recommended code-level fixes to remove unsafe serialization.