After initially addressing CVE-2025-59287 in the WSUS update mechanism as part of October 2025’s Patch Tuesday, Microsoft has rolled out an emergency out-of-band update. The company confirmed that attackers are now exploiting the flaw in real-world attacks.
UPDATE
Thursday saw Microsoft issue an updated fix for a critical WSUS vulnerability, following reports that threat actors have begun targeting the flaw in real-world attacks.
A remote code execution flaw tracked as CVE-2025-59287 affects WSUS, the Windows Server feature used for patch and update management. Although Microsoft initially patched it during the October Patch Tuesday release, the company later issued an additional emergency fix to completely address the vulnerability.
Microsoft reported that CVE-2025-59287 carries a critical 9.8 CVSS score and can be abused through unsafe object deserialization in an outdated serialization process, allowing remote code execution. On Friday, multiple cybersecurity companies confirmed that threat actors are already exploiting the vulnerability in the wild.
"We expect more attacker activity for this vulnerability to hit CISA KEV very soon, as more organizations are being affected," Horizon3 researchers said in a post on X. Huntress reported in a blog post on Friday that they detected exploitation activity starting Thursday, as threat actors began targeting publicly accessible WSUS instances operating on their default ports, 8530 and 8531.
The Cybersecurity and Infrastructure Security Agency (CISA) announced Friday afternoon that it has included CVE-2025-59287 in its Known Exploited Vulnerabilities (KEV) Catalog, signaling confirmed exploitation in the wild.
Last week, Hawktrace researchers published a PoC exploit and in-depth technical breakdown of the CVE-2025-59287 vulnerability. According to Hawktrace’s Batuhan Er, the flaw is triggered when AuthorizationCookie objects sent to the GetCookie() endpoint are deserialized by BinaryFormatter without adequate type checks.
"Permanent mitigation requires replacing BinaryFormatter with secure serialization mechanisms, implementing strict type validation, and enforcing proper input sanitization on all cookie data," Er wrote.