Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild

Executive Summary

On Oct. 14, 2025, a critical, unauthenticated remote code execution (RCE) vulnerability was identified in Microsoft's Windows Server Update Services (WSUS), a core enterprise component for patch management. Microsoft's initial patch during the October Patch Tuesday did not fully address the flaw, necessitating an emergency out-of-band security update released Oct. 23, 2025. Within hours of the emergency update, Unit 42 and other security researchers observed active exploitation in the wild. The combination of a remotely exploitable, unauthenticated RCE in a core infrastructure service, coupled with observed active exploitation in the wild, represents a severe and time-sensitive risk.

Key details of the threat are summarized below:

• Vulnerability: Critical Remote Code Execution (RCE) in Windows Server Update Services (WSUS), tracked as CVE-2025-59287 (CVSS 9.8).
• Impact: Allows a remote, unauthenticated attacker to execute arbitrary code with system privileges on affected servers.
• Status: Actively Exploited. Threat actors were observed exploiting the vulnerability within hours of Microsoft releasing an emergency patch on Oct. 23.
• Urgency: The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog on Oct. 24, underscoring the immediate risk.

For organizations unable to deploy the emergency patches immediately, Microsoft has recommended temporary workarounds to mitigate the risk.

Palo Alto Networks customers are better protected from activity related to CVE-2025-59287 through the following products and services:

• Cortex XDR and XSIAM

The Unit 42 Incident Response team can also be engaged to help with a compromise or to provide a proactive assessment to lower your risk.

Details of CVE-2025-59287

WSUS is a foundational tool for IT administrators, enabling the centralized management and distribution of Microsoft product updates across corporate networks. Its role as a trusted source for software patches makes it a high-value target; a compromise of a WSUS server can provide a foothold for lateral movement and widespread network compromise.

The vulnerability is rooted in an "unsafe deserialization of untrusted data." Security researchers have identified multiple attack paths including sending a specially crafted request to the GetCookie() endpoint, which causes the server to improperly deserialize an AuthorizationCookie object using the insecure BinaryFormatter. Another path targets the ReportingWebService to trigger unsafe deserialization via SoapFormatter. In both cases, a remote, unauthenticated attacker can trick the system into executing malicious code with the highest level of system privileges.

The scope of this vulnerability is specific to systems with the WSUS role enabled:

• Affected Software: Microsoft Windows Server 2012, 2012 R2, 2016, 2019, 2022 (including 23H2 Edition) and 2025.
• Required Condition: The vulnerability only affects servers where the WSUS Server Role is enabled. This feature is not enabled by default.

Current Scope of the Attack Using CVE-2025-59287

Following the public disclosure of a proof-of-concept exploit, Unit 42 in addition to other security firms quickly detected active scanning and exploitation.

Analysis of the attacks observed by Unit 42 reveals a consistent methodology focused on initial access and internal network reconnaissance.

• Initial Access: Attackers target publicly exposed WSUS instances on their default TCP ports, 8530 (HTTP) and 8531 (HTTPS).
• Execution: Malicious PowerShell commands are executed via specific parent processes. Observed forensic process chains include wsusservice.exe → cmd.exe → cmd.exe → powershell.exe and w3wp.exe → cmd.exe → cmd.exe → powershell.exe.
• Reconnaissance: The initial payload executes commands to gather intelligence on the internal network environment, including whoami, net user /domain, and ipconfig /all. This initial command set is designed to rapidly map the internal domain structure and identify high-value user accounts, providing the attacker with an immediate blueprint for lateral movement.
• Data Exfiltration: Collected information is exfiltrated to a remote, attacker-controlled Webhook.site endpoint using a PowerShell payload that attempts Invoke-WebRequest and falls back to curl.exe if needed.

Cortex Xpanse identified approximately 5,500 WSUS instances exposed to the internet, providing a tangible metric for the global attack surface. This reconnaissance-focused TTP indicates that initial exploitation is a precursor to broader network compromise, making immediate remediation and threat hunting paramount.

Interim Guidance

Microsoft has recommended temporary workarounds to mitigate the risk for organizations unable to deploy the emergency patches immediately. These measures should be considered interim solutions until patching can be completed.

We recommend that affected organizations follow this guidance to address the issue, and check back on official Microsoft language regularly for updates.

As of Oct. 27, the guidance consisted of the following mitigations:

1. Disable the WSUS Server Role: Disabling the WSUS role on the server removes the attack vector entirely. However, this will prevent the server from managing and distributing updates to client systems.

2. Block High-Risk Ports: Block all inbound traffic to TCP ports 8530 and 8531 on the host-level firewall. As recommended by Microsoft, this removes the attack vector but will prevent the server from managing and distributing updates.

Unit 42 Managed Threat Hunting Queries

The Unit 42 Managed Threat Hunting team continues to track any attempts to exploit this CVE across our Managed Services customers, using telemetry available within Cortex XDR. Cortex XDR customers who don’t leverage Unit 42 Managed Services can also use the following XQL query to search for signs of exploitation.

Conclusion

Based on the amount of publicly available information, the ease of use and the effectiveness of this exploit, Palo Alto Networks highly recommends following Microsoft’s guidance to protect your organization.

This vulnerability and subsequent weaponization serves as an illustration of how configuration failures enable exploitation. While the WSUS vulnerability provides the technical vector, its potentially severe impact is a direct consequence of lapses in security hygiene.

The exposure of an internal-facing service, such as WSUS, to the public internet constitutes a significant misconfiguration that elevates a localized server vulnerability into a potential enterprise-wide, supply-chain compromise. This underscores that rigorous asset management and disciplined network segmentation are critical security controls, essential for mitigating the escalation of isolated flaws into systemic organizational breaches.

Palo Alto Networks has shared our findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Palo Alto Networks customers are better protected by our products, as listed below. We will update this threat brief as more relevant information becomes available.

Palo Alto Networks Product Protections for CVE-2025-59287

Palo Alto Networks customers can leverage a variety of product protections and updates to help identify and defend against this threat.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

• North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
• UK: +44.20.3743.3660
• Europe and Middle East: +31.20.299.3130
• Asia: +65.6983.8730
• Japan: +81.50.1790.0200
• Australia: +61.2.4062.7950
• India: 000 800 050 45107

Cortex XDR and XSIAM

Cortex XDR and XSIAM help protect against post-exploitation activities using the multi-layer protection approach.

Indicators of Compromise

• hxxp://webhook[.]site/22b6b8c8-2e07-4878-a681-b772e569aa6a

Updated Oct. 27, 2025, at 1:50 p.m. PT to update Cortex product protection language. 

Updated Oct. 27, 2025, at 2:37 p.m. PT to add Managed Threat Hunting queries.