Overview
- Microsoft released out-of-band cumulative updates on October 24 for Windows Server 2012 through 2025 to fully address CVE-2025-59287, with a system reboot required after installation.
- CVE-2025-59287 is an unsafe deserialization flaw that enables unauthenticated remote code execution via a crafted event and affects only servers with the WSUS role enabled.
- Public proof-of-concept code is available, and national and private teams including NCSC-NL, Eye Security, Huntress and WatchTowr reported exploitation activity on October 24.
- CISA added the vulnerability to its Known Exploited Vulnerabilities catalog and urged rapid remediation or temporary shutdown of exposed WSUS services.
- If immediate patching is not possible, Microsoft advises disabling the WSUS role or blocking ports 8530 and 8531, which halts update delivery, as exposure estimates range from roughly 2,500 to more than 8,000 internet-facing instances.