Windows Server emergency patches fix WSUS bug with PoC exploit

Picus Blue Report 2025

Microsoft has released out-of-band (OOB) security updates to patch a critical-severity Windows Server Update Service (WSUS) vulnerability with publicly available proof-of-concept exploit code.

WSUS is a Microsoft product that enables IT administrators to manage and deliver Windows updates to computers within their network.

Tracked as CVE-2025-59287and patched during this month’s Patch Tuesday, this remote code execution (RCE) security flaw affects only Windows servers with the WSUS Server Role enabled, a feature that isn’t enabled by default.

The vulnerability can be exploited remotely in low-complexity attacks that do not require user interaction, allowing threat actors without privileges to target vulnerable systems and run malicious code with SYSTEM privileges. This makes it potentially wormable between WSUS servers.

“Windows servers that do not have the WSUS server role enabled are not vulnerable to this vulnerability. If the WSUS server role is enabled, the server will become vulnerable if the fix is not installed before the WSUS server role is enabled,” Microsoft explained.

“A remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism, resulting in remote code execution.”

Microsoft has released security updates for all impacted Windows Server versions and advised customers to install them as soon as possible:

As Microsoft revealed in a Thursday update to the original security advisory, a CVE-2025-59287 proof-of-concept exploit is now also available online, making it even more critical to patch vulnerable servers immediately.

Microsoft also shared workarounds for admins who can’t immediately install these emergency patches, including disabling the WSUS Server Role to remove the attack vector or blocking all inbound traffic to Ports 8530 and 8531 on the host firewall to render WSUS non-operational.

However, it’s important to note that Windows endpoints will stop receiving updates from the local server after WSUS is disabled or the traffic is blocked.

“This is a cumulative update, so you do not need to apply any previous updates before installing this update, as it supersedes all previous updates for affected versions,” Microsoft added.

“If you haven’t installed the October 2025 Windows security update yet, we recommend you apply this OOB update instead. After you install the update you will need to reboot your system.”


Picus Blue Report 2025

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.