Microsoft has released out-of-band (OOB) security updates to address a critical remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS). Servers with the WSUS Server Role enabled are affected. Successful exploitation allows attackers to execute code with SYSTEM-level privileges on the WSUS host, posing a serious risk due to WSUS’s privileged role in enterprise update distribution.
What is the threat?
Tracked as CVE-2025-59287, this vulnerability affects the WSUS cookie-based authentication routine. The issue arises because WSUS decrypts and deserializes the AuthorizationCookie field using .NET’s BinaryFormatter without proper validation. An attacker can craft a malicious cookie that forces WSUS to deserialize attacker-controlled objects, leading to arbitrary code execution with SYSTEM-level privileges.
Since WSUS communicates with endpoints and other servers, a compromised WSUS instance could distribute malicious updates or serve as a pivot point for lateral movement within the network.
Why is it noteworthy?
An unauthenticated attacker with network access can execute arbitrary code as SYSTEM on any Windows Server running the WSUS role. A public proof-of-concept (PoC) exploit is already circulating, prompting Microsoft to release emergency patches outside its regular Patch Tuesday cycle. Because WSUS plays a privileged role in enterprise patch distribution, successful exploitation can result in full server compromise and even potential supply-chain infection. The vulnerability requires no authentication and is easy to exploit. Combined with the availability of a working PoC, this significantly increases the risk of exploitation across many environments.
What is the exposure or risk?
WSUS servers often store the signing certificate used to distribute third-party updates. If compromised, an attacker could publish a malicious update package that downstream systems would trust and install automatically.
What are the recommendations?
Barracuda recommends the following actions to limit the impact of CVE-2025-59287 in your environment:
- Install the emergency OOB cumulative security update on affected Windows Server versions as soon as possible.
- Apply these Microsoft workarounds If immediate patching is not possible, NOTE: they interrupt WSUS functionality:
- Disable WSUS Server Role to eliminate the attack vector.
- Block Inbound Traffic to WSUS ports (8530 and 8531) on the host firewall.
- Monitor Microsoft Windows server, using solutions such as Barracuda Managed XDR Server Security, to detect anomalies.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/microsoft-releases-windows-server-emergency-updates-for-critical-wsus-rce-flaw/
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
- https://hawktrace.com/blog/CVE-2025-59287
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
