Microsoft released an out-of-band security update that it says comprehensively addresses CVE-2025-59287, a critical remote code execution vulnerability in Windows Server Update Services (WSUS) that has been reported as exploited in the wild. The flaw is a deserialization of untrusted data and can allow an attacker to execute code on vulnerable machines by sending a specially crafted event to a WSUS server without user interaction.
WSUS is used to centralize download and distribution of Microsoft updates to multiple machines on a network. Microsoft said the vulnerability affects only Windows Server systems with the WSUS Server role enabled and that the role is not enabled by default.
Microsoft issued an earlier fix on October Patch Tuesday but researchers and vendors reported that the initial update was not comprehensive, prompting the additional out-of-band release. Security researchers have warned the issue is wormable between affected WSUS servers and that administrator action is required; the update provided covers all supported Windows Server versions and systems must be rebooted after installation.
The urgency to patch increased after a security researcher published a technical rundown and proof-of-concept exploit code this week, and the Dutch National Cyber Security Centre said it had learned from a trusted partner that abuse of the vulnerability was observed on October 24, 2025, warned today. Germany’s Federal Office for Information Security also pointed out that exploitation from the internet should not be possible if WSUS is correctly operated behind a perimeter firewall but that a compromised internal network or misconfigured firewall could allow attackers to take control of WSUS servers.
If the update cannot be applied immediately, administrators can temporarily disable the WSUS Server role or block inbound traffic to ports 8530 and 8531 on the host firewall, though doing so will stop clients from receiving updates from the server. Security guidance warns that compromised WSUS servers could be used to distribute malicious updates to client devices.
The out-of-band update is cumulative and supersedes previous updates for affected versions; administrators who have not installed the October 2025 security update were advised to apply this release instead. Organizations are advised to install the patch promptly or implement the temporary mitigations until systems can be updated and rebooted.