This advisory concerns organisations with Internet exposed Windows servers that have the Windows Server Update Service (WSUS) server role enabled. 

Background

During Patch Tuesday on October 14th, 2025, Microsoft addressed CVE-2025-59287, a deserialisation of untrusted data vulnerability in Windows Server Update Services (WSUS) that could allow an unauthenticated attacker to execute arbitrary code over the network.

Following the release, a confirmed proof-of-concept (PoC) exploit surfaced. In response, on October 23rd, 2025, Microsoft issued an out-of-band (OOB) security update to fully remediate the vulnerability. Administrators must install this update to ensure complete protection.

Threat Intelligence assessment

Microsoft’s October Patch Tuesday release did not fully close the WSUS vulnerability, and their follow-up documentation shows the subsequent out-of-band update is required for a complete fix.

A public proof-of-concept exploit exists, raising the likelihood of widespread attacks. We recommend urgent installation of the OOB update and verification that all WSUS servers are patched.

Affected systems

The vulnerability affects multiple versions of Windows Server 2012-2025 that are exposed to the Internet, and have the WSUS server role enabled. See Microsoft's Security Update Guide for CVE-2025-59287 for a comprehensive list.

Note that the WSUS server role is disabled by default, meaning systems are not affected unless this role has been explicitly enabled and configured by an administrator.

Recommendations

Affected organisations should apply the OOB update as soon as possible.

While alternative mitigations are available, applying them effectively disables WSUS functionality, namely:

• Disabling the WSUS server role; or
• Blocking incoming traffic on ports 8530 and 8531 to the server.