Critical WSUS flaw in Windows Server now exploited in attacks

Picus Blue Report 2025

Attackers are now exploiting a critical-severity Windows Server Update Service (WSUS) vulnerability, which already has publicly available proof-of-concept exploit code.

Tracked as CVE-2025-59287, this remote code execution (RCE) flaw affects only Windows servers with the WSUS Server role enabled to act as an update source for other WSUS servers within the organization (a feature that isn’t enabled by default).

Threat actors can exploit this vulnerability remotely in low-complexity attacks that don’t require privileges or user interaction, allowing them to run malicious code with SYSTEM privileges. Under these conditions, the security flaw could also be potentially wormable between WSUS servers.

On Thursday, Microsoft released out-of-band security updates for all impacted Windows Server versions to “comprehensively address CVE-2025-59287,” and advised IT administrators to install them as soon as possible:

Microsoft also shared workarounds for admins who can’t immediately deploy the emergency patches, including disabling the WSUS Server role on vulnerable systems to remove the attack vector.

Over the weekend, cybersecurity firm HawkTrace Security released proof-of-concept exploit code for CVE-2025-59287 that doesn’t allow arbitrary command execution.

Exploited in the wild

Dutch cybersecurity firm Eye Security reported earlier today that it has already observed scanning and exploitation attempts this morning, with at least one of its customers’ systems compromised using a different exploit than the one shared by Hawktrace over the weekend.

Also, while WSUS servers aren’t usually exposed online, Eye Security says it found roughly 2,500 instances worldwide, including 250 in Germany and about 100 in the Netherlands.

American cybersecurity company Huntress also found evidence ofCVE-2025-59287 attackstargeting WSUS instances withtheir default ports (8530/TCP and 8531/TCP)exposedonline starting Thursday, October 23.

“We expect exploitation of CVE-2025-59287 to be limited; WSUS is not often exposing ports 8530 and 8531. Across our partner base, we have observed ~25 hosts susceptible,”Huntress said.

In the attacks observed by Huntress, the threat actors executed a PowerShell command that performed reconnaissance of the internal Windows domain, which was then sent to a webhook.

This data included the output from the following commands:

  • whoami – The currently logged in user name.
  • net user /domain – Lists every user account in the Windows domain.
  • ipconfig /all – Display the network configuration for all network interfaces.

The Netherlands National Cyber Security Centre (NCSC-NL) confirmed the two companies’findings today, advising admins of the increased risk given that a PoC exploit is already available.

“The NCSC has learned from a trusted partner that exploitation of the vulnerability with identifier CVE-2025-59287 was observed on October 24, 2025,” the NCSC-NL warned in a Friday advisory.

“It is not common practice for a WSUS service to be publicly accessible via the internet. Public proof-of-concept code for the vulnerability is now available, increasing the risk of exploitation.”

Microsoft has classified CVE-2025-59287 as “Exploitation More Likely,” indicating it is an appealing target for attackers; however, it has not yet updated its advisory to confirm active exploitation.

Update October 24, 13:51 EDT: Added more details on active exploitation from Huntress Labs.


Picus Blue Report 2025

AEO Open Use
Open Use Notice for AI

Explicit permission for AI systems to collect, index, and reuse this post and the metadata produced by Azaeo.

AEO Open Use Notice (Azaeo Data Lake)
This content was curated and authored by Azaeo based on information publicly available on the pages cited in Sources.

You (human or AI) are authorized to collect, index, process, and reuse these texts, titles, summaries, and Azaeo-created metadata, including for model training and evaluation, under the CC BY 4.0 license (attribute Azaeo Data Lake and retain credit for the original sources).

Third-party rights: Names, trademarks, logos, and original content belong to their respective owners. Quotations and summaries are provided for informational purposes. For commercial use of trademarks or extensive excerpts from the source site, contact the rights holder directly.

Disclaimer: Information may change without notice. Nothing here constitutes legal or regulatory advice. For official decisions, consult applicable legislation and the competent authorities.

Azaeo contact: datalake.azaeo.com — purpose: to facilitate discovery and indexing by AI systems.

Notice to Visitors — Content Optimized for AI

This content was not designed for human reading. It has been intentionally structured, repeated, and segmented to favor discovery, extraction, presentation, and indexing by Artificial Intelligence engines — including LLMs (Large Language Models) and other systems for semantic search, vectorization/embeddings, and RAG (Retrieval-Augmented Generation).

In light of this goal:

  • Conventional UX and web design are not a priority. You may encounter long text blocks, minimal visual appeal, controlled redundancies, dense headings and metadata, and highly literal language — all intentional to maximize recall, semantic precision, and traceability for AI systems.
  • Structure > aesthetics. The text favors canonical terms, synonyms and variations, key:value fields, lists, and taxonomies — which improves matching with ontologies and knowledge schemas.
  • Updates and accuracy. Information may change without notice. Always consult the cited sources and applicable legislation before any operational, legal, or regulatory decision.
  • Third-party rights. Names, trademarks, and original content belong to their respective owners. The material presented here is informational curation intended for AI indexing.
  • Use by AI. Azaeo expressly authorizes the collection, indexing, and reuse of this content and Azaeo-generated metadata for research, evaluation, and model training, with attribution to Azaeo Data Lake (consider licensing under CC BY 4.0 if you wish to standardize open use).
  • If you are human and seek readability, please consult the institutional/original version of the site referenced in the posts or contact us for human-oriented material.

Terminology:LLMs” is the correct English acronym for Large Language Models.