CVE-2025-59287: Windows Server Update Service (WSUS) Remote Code Execution Vulnerability
Overview
- Severity
- Critical (CVSS 9.8)
- CVSS Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
- Category
- Remote Code Execution
- Exploit Status
- Not Exploited
- Exploitation Likelihood
- More Likely
- Patch Tuesday
- 2025-Oct
- Released
- 2025-10-14
- Last Updated
- 2025-10-24
- EPSS Score
- 75.75% (percentile: 98.9%)
- CISA KEV
- Listed — due 2025-11-14
Description
Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.
FAQ
How could an attacker exploit this vulnerability?
A remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism, resulting in remote code execution.
What actions do I need to take to be protected from this vulnerability?
To fully address this vulnerability:
Windows Server customers should install the out-of-band update released on October 23, 2025.
Windows Servers enrolled into the hotpatch program should install the out-of-band standalone security update released on October 24, 2025.
If you cannot install the update immediately see the Workaround section for actions you can take to be protected.
Will the out-of-band update released on October 23, 2025 require a Windows server reboot?
Yes. After you install the update you will need to reboot your system.
Will the out-of-band standalone security updates released on October 24, 2025 for Windows Servers enrolled into the hotpatch program require a reboot
Yes. A reboot will be required only on servers that have WSUS enabled. This update will not reset the previous baseline.
How I do get the October 23, 2025 out of band security update?
The update is available through the following channels:
For customers who automatically install updates, this update will be downloaded and installed automatically from Windows Update and Microsoft Update.
The standalone package for this update is available on the Microsoft Update Catalog website.
This update will automatically sync with Windows Server Update Services (WSUS).
How do I get the October 24, 2025 out-of-band standalone security update for Windows Servers enrolled into the hotpatch program?
Windows Server 2022:
For customers who automatically install updates, this update will be downloaded and installed automatically from Windows Update.
This update will automatically sync with Windows Server Update Services (WSUS).
Windows Server 2025:
For customers who automatically install updates, t
Known Exploits (14)
- Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability — added 2026-02-18T14:09:52Z
- Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability — added 2026-01-16T10:20:06Z
- Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability — added 2025-12-26T07:22:27Z
- Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability — added 2025-11-21T01:36:23Z
- Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability — added 2025-11-06T10:56:36Z
- Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability — added 2025-11-03T10:51:07Z
- Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability — added 2025-11-01T20:05:59Z
- Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability — added 2025-10-28T06:22:55Z
- Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability — added 2025-10-27T14:05:56Z
- Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability — added 2025-10-27T10:26:58Z
- Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability — added 2025-10-26T01:39:27Z
- Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability — added 2025-10-25T15:18:21Z
- Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability — added 2025-10-25T02:30:07Z
- Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability — added 2025-10-20T14:01:15Z
Detection & Weaponization (5 sources)
Maturity: Detection
- Metasploit modules: Windows Server Update Service Deserialization Remote Code Execution
- Nuclei templates: Windows Server Update Service - Insecure Deserialization
- Sigma rules: Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process, Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
- YARA rules: expl_wsus_cve_2025_59287.yar, SIGNATURE_BASE_EXPL_WSUS_Exploitation_Indicators_Oct25, SIGNATURE_BASE_HKTL_EXPL_WSUS_Exploitation_POC_Oct25
- GitHub PoC: 9 repositories
Affected Products (13)
Windows
- Windows Server 2019
- Windows Server 2019 (Server Core installation)
- Windows Server 2022
- Windows Server 2022 (Server Core installation)
- Windows Server 2025 (Server Core installation)
- Windows Server 2022, 23H2 Edition (Server Core installation)
- Windows Server 2025
- Windows Server 2016
- Windows Server 2016 (Server Core installation)
ESU
- Windows Server 2012
- Windows Server 2012 (Server Core installation)
- Windows Server 2012 R2
- Windows Server 2012 R2 (Server Core installation)
Security Updates (7)
Acknowledgments
<a href="https://twitter.com/mwulftange">Markus Wulftange</a> with <a href="https://code-white.com/">CODE WHITE GmbH</a>, MEOW, f7d8c52bec79e42795cf15888b85cbad, MEOW
Revision History
- 2025-10-14: Information published.
- 2025-10-23: To comprehensively address CVE-2025-59287, Microsoft has released an out of band security update for the following supported versions of Windows Server: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022, 23H2 Edition (Server Core installation), and Windows Server 2025. Note that a reboot will be required after you install the updates.
- 2025-10-24: Updated links to security updates. This is an informational change only.
- 2025-10-24: Security hotpatch updates are now available for supported versions of Windows Server 2022 and Windows Server 2025. Note that a reboot will be required after you install these hotpatch updates.