Microsoft has pushed an out-of-band patch for a critical vulnerability in the Windows Server Update Services (WSUS).
The pre-auth RCE big, allocated CVE-2025-59827, was initially patched in October’s Patch Tuesday cycle – but an October 23 out-of-band update hints at an inadequate initial patch.
As The Stack noted on Patch Tuesday, Microsoft has deprecated WSUS in a bid to drive users to cloud-based server management systems, but it is still supported in production deployments.
The WSUS vulnerability notably affects recent releases like Windows Server 2025 as well as multiple earlier OS versions.
WSUS vulnerability CVE-2025-59827 exploited
Huntress Labs said late Friday that it had seen four enterprises hit via CVE-2025-59827, with attacks beginning on October 23.
The threat actor is targeting “WSUS instances publicly exposed on their default ports (8530/TCP and 8531/TCP)” it added – acknowledging that public exposure is comparatively uncommon: “... we have observed ~25 hosts susceptible.”
That's a figure for its customer base and attack surface management firm watchTowr told The Register that it saw over 8,000 instances exposed online.
"CVE-2025-59287 is a critical RCE vulnerability in Microsoft Windows Server Update Services (WSUS), caused by unsafe deserialization of AuthorizationCookie data through BinaryFormatter in the EncryptionHelper.DecryptData() method.
"The vulnerability allows an unauthenticated attacker to achieve remote code execution with SYSTEM privileges by sending malicious encrypted cookies to the GetCookie() endpoint.
"Permanent mitigation requires replacing BinaryFormatter with secure serialization mechanisms, implementing strict type validation, and enforcing proper input sanitization on all cookie data." - Batuhan Er, Hawktrace.
(The ZDI’s Dustin Childs suggested on Patch Tuesday however that the CVSS 9.8 vulnerability appears to be “wormable between affected WSUS servers. Since WSUS remains a critical piece of anyone’s infrastructure, it’s an attractive target…”)
We try to keep our security reporting for public interest reasons. Subscribing helps us do that. It's £25/m or £250/y and also gets you early access to exclusive interviews with major technology decision makers.
Join peers already in the tent
Exploitation comes after Batuhan Er of Hawktrace published a POC for the exploit, noting that it is “caused by unsafe deserialization of AuthorizationCookie data through BinaryFormatter in the EncryptionHelper.DecryptData() method.
Microsoft said: "If you are unable to install the October 23, 2025 out-of-band update, you can take any of the following actions to be protected against this vulnerability:
- If the WSUS Server Role is enabled on your server, disable it. Note that clients will no longer receive updates from the server if WSUS is disabled.
- Block inbound traffic to Ports 8530 and 8531 on the host firewall (as opposed to blocking only at the network/perimeter firewall) to render WSUS non-operational.
"Important: Do NOT undo either of these workarounds until after you have installed the update."
The link has been copied!
