CISA Shares New Threat Detections for Actively Exploited WSUS Vulnerability

In a critical update issued on October 29, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) has provided organizations with enhanced guidance on detecting and mitigating threat activity related to the actively exploited CVE-2025-59287 vulnerability in Microsoft’s Windows Server Update Services (WSUS).

This remote code execution flaw, rated at a CVSS score of 9.8, allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges on affected servers, posing severe risks to enterprise networks.

Microsoft initially addressed the issue during October’s Patch Tuesday. Still, it released an out-of-band update on October 23, 2025, after discovering the prior fix was incomplete, prompting CISA to add it to the Known Exploited Vulnerabilities (KEV) Catalog the following day.

Exploitation has surged in the wild, with reports of attackers using proxy networks and public proof-of-concept exploits to harvest sensitive data such as user credentials and network configurations.

WSUS Vulnerability and Exploitation

CVE-2025-59287 stems from unsafe deserialization of untrusted data in WSUS, specifically involving the insecure .NET BinaryFormatter when processing AuthorizationCookie objects via endpoints like GetCookie() in the ClientWebService or SoapFormatter in ReportingWebService.

Attackers craft malicious SOAP requests containing base64-encoded payloads, encrypted with AES-128-CBC, which bypass validation and trigger code execution upon deserialization.

This vulnerability affects only servers with the WSUS role enabled, a feature not active by default, and exposes ports TCP 8530 and 8531 to network traffic.

The flaw’s network-based attack vector requires no privileges or user interaction, enabling rapid compromise of update management infrastructure, which attackers leverage for lateral movement and data exfiltration.

CVE ID	Description	CVSS v3.1 Score	Severity	Affected Products	Exploitation Prerequisites	Impact
CVE-2025-59287	Deserialization of untrusted data in WSUS allows remote code execution.	9.8	Critical	Windows Server 2012, 2012 R2, 2016, 2019, 2022 (incl. 23H2), 2025 with WSUS role enabled.	Unauthenticated access to TCP ports 8530/8531; crafted requests to ClientWebService or ReportingWebService.	Arbitrary code execution with SYSTEM privileges; potential for network enumeration, credential theft, and persistence.

Organizations must prioritize identifying vulnerable servers using PowerShell commands like Get-WindowsFeature -Name UpdateServices or the Server Manager Dashboard to confirm WSUS enablement.

Applying the October 23 out-of-band patch followed by a reboot is essential, with temporary workarounds including disabling the WSUS role or blocking inbound traffic to the exposed ports at the host firewall.

CISA’s latest advisory emphasizes proactive threat hunting, urging administrators to monitor for anomalous activity such as child processes spawned with SYSTEM permissions from wsusservice.exe or w3wp.exe, including nested PowerShell instances executing base64-encoded commands.

Observed tactics include spawning cmd.exe and powershell.exe for enumeration via net user /domain and ipconfig /all, with outputs exfiltrated to webhook sites or Cloudflare Workers subdomains for command-and-control.

These behaviors may mimic legitimate operations but warrant vetting, especially alongside deserialization errors in WSUS logs or unusual POST requests to Client.asmx endpoints.

Additional resources from Huntress detail real-world exfiltration scripts, while Palo Alto Networks Unit 42 highlights consistent attacker methodologies involving proxy obfuscation.

Federal agencies face a November 14, 2025, remediation deadline, but all entities should act immediately to safeguard updated pipelines against this high-impact threat.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.