Microsoft Windows Server Update Service Remote Code Execution Vulnerability

Facebook

What is the Vulnerability?

CVE-2025-59287 is a critical unauthenticated remote code execution (RCE) vulnerability affecting Windows Server Update Services (WSUS). The flaw stems from unsafe deserialization of untrusted data, allowing attackers to execute arbitrary code on vulnerable servers without authentication.

A public proof-of-concept exploit has been released, and CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing active exploitation in the wild.

Organizations should prioritize immediate patching or isolation of any internet-facing or exposed WSUS servers to prevent compromise.

What is the recommended Mitigation?

The vulnerability impacts Windows Server installations with the WSUS role enabled, including Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025.

Apply Microsoft’s out-of-band security update released on October 23, 2025 (referenced in Microsoft’s official advisory and KB documentation).
Restrict network access to WSUS servers, ensuring they are not exposed to untrusted or external networks.
Review system logs for unusual activity or unauthorized WSUS access attempts.

What FortiGuard Coverage is available?

FortiGuard IPS Service detects and blocks exploit attempts targeting CVE-2025-59287.

Intrusion Prevention | FortiGuard Labs
FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications on an endpoint, eliminating manual processes while reducing the attack surface.

Endpoint Vulnerability | FortiGuard Labs
The FortiGuard Incident Response team can be engaged to help with any suspected compromise.