Windows Server WSUS Flaw Under Active Attack (CVE-2025-59287, CVSS 9.8) with Public PoC

by ddos · October 26, 2025

Hackers have begun actively exploiting a newly disclosed vulnerability in the Windows Server Update Services (WSUS) component. The flaw, tracked as CVE-2025-59287, already has a publicly available proof-of-concept (PoC) exploit, dramatically increasing the likelihood of widespread attacks. The issue affects Windows servers configured with the WSUS Server role enabled and set to distribute updates to other WSUS instances within a network — a mode that is disabled by default. In such configurations, a remote attacker can execute arbitrary code without authentication or user interaction, gaining SYSTEM-level privileges. Without proper network isolation, the attack may propagate laterally from one WSUS server to another.

Microsoft has released out-of-band security updates to remediate the flaw and urges administrators to apply them immediately. Patches are available for all supported versions of Windows Server:

KB5070881 for Windows Server 2025
KB5070879 for version 23H2
KB5070884 for 2022
KB5070883 for 2019
KB5070882 for 2016
KB5070886 and KB5070887 for 2012 R2 and 2012

For organizations unable to deploy the patches promptly, Microsoft recommends temporary mitigations, such as disabling the WSUS Server role or restricting network access to vulnerable ports.

Late last week, researchers from HawkTrace Security published a demonstration PoC for CVE-2025-59287. Although the sample does not consistently achieve arbitrary command execution, its release triggered a sharp increase in malicious activity. By the morning of October 24, the Dutch cybersecurity firm Eye Security reported the first scans and exploitation attempts, noting that one of its clients had already been attacked with a modified version of the exploit. Meanwhile, Huntress, a U.S.-based company, also detected ongoing intrusions targeting internet-exposed WSUS servers reachable via the default 8530/TCP and 8531/TCP ports.

According to Eye Security, approximately 2,500 WSUS servers are currently exposed online worldwide, with around 250 located in Germany and 100 in the Netherlands. Huntress estimated about 25 vulnerable hosts among its partners but warned that the availability of a working exploit and the surge in network scanning significantly increase the risk of further compromises. In observed attacks, adversaries executed PowerShell commands such as whoami, net user /domain, and ipconfig /all to gather domain intelligence and exfiltrated the results to an external webhook—behavior consistent with preliminary reconnaissance prior to privilege escalation.

The Dutch National Cyber Security Centre (NCSC-NL) confirmed active exploitation and cautioned that the presence of public PoC code amplifies the threat. Its advisory emphasized that WSUS servers should never be directly exposed to the internet, as open 8530 and 8531 ports drastically heighten the risk of compromise.

Microsoft has classified CVE-2025-59287 as “Exploitation More Likely,” signaling a high probability of real-world attacks. Administrators are strongly advised to apply patches without delay, close external WSUS ports, and review system logs for suspicious PowerShell activity or unauthorized network connections.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal