Microsoft issues emergency patch for Windows flaw under active attack
Microsoft released an urgent out-of-band security patch on October 23, 2025, to address CVE-2025-59287, a critical vulnerability in Windows Server Update Service (WSUS) that allows remote code execution with a CVSS score of 9.8. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed Thursday that attackers are already exploiting this flaw in the wild, adding it to their Known Exploited Vulnerabilities catalog.
The vulnerability stems from unsafe deserialization of untrusted data in WSUS, allowing unauthenticated attackers to execute malicious code with SYSTEM privileges over a network. Security researchers from multiple firms, including Huntress and Eye Security, have detected active exploitation attempts beginning around October 23 at 23:34 UTC.
Active Exploitation Detected Across Multiple Organizations
Cybersecurity firm Huntress observed threat actors targeting WSUS instances publicly exposed on ports 8530 and 8531, executing PowerShell commands to perform reconnaissance of internal Windows domains. The attackers collected sensitive information, including logged-in usernames, domain user accounts, and network configurations, before exfiltrating data to remote webhooks.
Dutch cybersecurity firm Eye Security reported witnessing exploitation at 06:55 UTC on October 24, where attackers deployed a Base64-encoded .NET payload that executes commands via the 'aaaa' request header to avoid detection in logs. The Dutch National Cyber Security Centre confirmed these findings, stating they "learned from a trusted partner that abuse of CVE-2025-59287 was observed on October 24, 2025".
Arctic Wolf detected a broader threat campaign targeting WSUS servers, observing malicious PowerShell scripts executed through IIS worker processes that ran network reconnaissance commands and redirected output to attacker-controlled domains. The security firm noted that while exploitation is occurring, it remains limited because WSUS servers are not typically exposed to the internet.
Federal Agencies Face November Deadline
CISA has mandated federal agencies remediate the vulnerability by November 14, 2025, under its binding operational directive. The agency strongly recommends organizations follow Microsoft's guidance regarding the Windows Server Update Service Remote Code Execution Vulnerability, emphasizing the risk of unauthorized actors gaining remote code execution with system privileges.
Microsoft initially addressed CVE-2025-59287 in its October Patch Tuesday release, but the company determined the original fix was incomplete, prompting the emergency out-of-band update. The vulnerability only affects Windows servers with the WSUS Server Role enabled, which is not activated by default.
For organizations unable to immediately deploy the patch, Microsoft recommends disabling the WSUS server role and blocking inbound traffic to ports 8530 and 8531 at the host firewall. The company stressed that administrators should "not reverse either of these workarounds until the update has been installed".
