A critical vulnerability has been discovered in Windows Server Update Service (WSUS) that allows an unauthenticated attacker to execute arbitrary code remotely. Successful exploitation could lead to a complete compromise of the WSUS server, which could then be used to distribute malware to all connected Windows clients and servers within the organization, resulting in a widespread network breach.

This vulnerability is an insecure deserialization flaw. The WSUS application listens for network data, and when it receives a specially crafted malicious message, it improperly deserializes this data. This process allows an attacker's input to be executed as code on the server with the privileges of the WSUS service, which are typically high (SYSTEM-level). An attacker can trigger this vulnerability remotely over the network without needing any prior authentication.

This vulnerability is rated as critical severity with a CVSS score of 9.8. A successful exploit would grant an attacker complete administrative control over the WSUS server. Since WSUS is a central, trusted authority for distributing software patches, a compromised server poses a catastrophic risk. An attacker could use it to deploy ransomware, spyware, or other malware to every Windows computer in the organization, leading to widespread data theft, operational disruption, and significant financial and reputational damage.

Immediate Action: Immediately apply the security updates provided by Microsoft to all affected Windows Server Update Service (WSUS) instances. Prioritize patching internet-facing or otherwise exposed servers. After patching, monitor for any signs of exploitation and review access logs for unusual activity that may have occurred before the patch was deployed.

Proactive Monitoring: Monitor network traffic to and from the WSUS server (typically on ports 8530/8531) for unusual patterns or connections from untrusted sources. Scrutinize system logs for unexpected processes being spawned by the WSUS service (wsusservice.exe or the associated w3wp.exe process). Review IIS logs on the WSUS server for malformed requests or deserialization-related error messages.

Compensating Controls: If patching is not immediately possible, restrict network access to the WSUS server ports to only known, trusted IP addresses using host-based or network firewalls. Implement network segmentation to isolate the WSUS server from other critical infrastructure. Deploy an Intrusion Prevention System (IPS) with signatures capable of detecting and blocking deserialization attack patterns.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for complete network compromise, organizations must treat the remediation of CVE-2025-59287 as a top priority. All affected Windows Server Update Service instances must be patched immediately. While this vulnerability is not currently on the CISA KEV catalog, its severity makes it a prime candidate for future inclusion. Proactive patching is the most effective defense to prevent exploitation.