Catenaa, Friday, October 31, 2025- Hackers are actively exploiting a critical flaw in Microsoft Windows Server Update Service (WSUS) that allows unauthorized code execution, security researchers warned early this week.
The vulnerability, identified as CVE-2025-59287, stems from deserialization of untrusted data, making affected systems highly vulnerable.
Researchers at Huntress reported attacks in four customer networks, describing the exploit as a simple “point-and-shoot” method.
The release of a proof-of-concept has made it easily accessible to threat actors, increasing the urgency for organizations to patch affected servers. Microsoft issued an out-of-band update Thursday after acknowledging that an earlier patch did not fully address the flaw.
WSUS, which manages deployment of Microsoft product updates, can be abused by attackers to move laterally within networks and gain elevated access.
The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities catalog and recommended immediate mitigation for servers with WSUS roles enabled and ports 8530/8531 open.
Experts warned that compromise of a single WSUS server could allow attackers to distribute malware disguised as legitimate updates, impacting all connected workstations. Shadowserver reported roughly 2,800 visible instances of potentially affected servers, though the exact number of vulnerable systems is still being confirmed. ‘
Arctic Wolf and Palo Alto Networks highlighted ongoing campaigns and common neglect of WSUS security as factors increasing risk.
Organizations are urged to prioritize patching and follow Microsoft’s guidance to prevent internal supply chain attacks and maintain system integrity.
