CISA issues update to address Windows Server Update Service remote code execution vulnerability

Microsoft has issued a security update to fix a remote code execution vulnerability found in Windows Server Update Service (WSUS) affecting Windows Server versions 2012, 2016, 2019, 2022, and 2025. This flaw allows an unauthenticated actor to execute code remotely with SYSTEM-level privileges.

The vulnerability, identified as CVE-2025-59287, persists in WSUS despite earlier mitigations related to Decentralized Identity (DID). It specifically impacts WSUS components on Windows Server installations where the WSUS Server Role is active and listening on Transmission Control Protocol (TCP) ports 8530 or 8531. The advisory distinguishes this Common Vulnerabilities and Exposures (CVE) from previous updates by noting that prior patches DID not fully address the remote code execution risk.

Exploitation of this vulnerability permits an unauthenticated individual to gain remote SYSTEM-level code execution on affected servers. This escalation allows full control of the compromised system under the SYSTEM account privileges.

Microsoft released an out-of-band patch on October 23, 2025, resolving the vulnerability. Administrators must install this update and reboot WSUS servers to complete the remediation process. Organizations unable to apply the update promptly are advised to disable the WSUS Server Role or block inbound TCP traffic on ports 8530 and 8531 at the host firewall. These temporary measures should remain until the update is deployed, and all other Windows servers should also be updated and rebooted accordingly.

Detection recommendations include monitoring events for suspicious child processes with SYSTEM permissions spawned by wsusservice.exe or w3wp.exe, noting that some such processes may be legitimate. Alertness to nested PowerShell executions using base64-encoded commands is also advised since additional services may be involved in potential exploitation outside WSUS parent processes.

The Cybersecurity and Infrastructure Security Agency (CISA) has incorporated CVE-2025-59287 into its Known Exploited Vulnerabilities (KEV) Catalog and recommends applying Microsoft's guidance for this update. Organizations are encouraged to investigate network activity related to this vulnerability and are provided with additional resources from Huntress and Palo Alto Networks Unit 42 for further information.