Microsoft has rolled out an out-of-band security update to address a critical remote code execution vulnerability (CVE-2025-59287) in Windows Server Update Services (WSUS) that is currently being exploited in the wild.
While the issue was initially fixed during last week’s Patch Tuesday release, Microsoft released the additional emergency update following a publicly available proof-of-concept exploit and evidence of active exploitation.
The flaw stems from unsafe deserialization of untrusted data in WSUS, which can allow a remote, unauthenticated attacker to execute arbitrary code over the network. Specifically, an attacker could send crafted requests that trigger the deserialization of malicious objects through a legacy serialization mechanism, ultimately leading to remote code execution with SYSTEM-level privileges. Systems that do not have the WSUS Server Role enabled are not impacted.
According security researchers, the vulnerability is related to the unsafe deserialization of AuthorizationCookie objects sent to the GetCookie() endpoint. In this process, encrypted cookie data is decrypted using AES-128-CBC and then deserialized using BinaryFormatter without proper validation, allowing attackers to run arbitrary code on the system.
Microsoft has previously warned developers against using BinaryFormatter for deserialization due to its security weaknesses. This feature was removed entirely from .NET 9 in August 2024.
To fully resolve the issue, Microsoft has released out-of-band security updates for all supported versions of Windows Server, including Windows Server 2012, 2012 R2, 2016, 2019, 2022 (including the 23H2 Server Core edition), and Windows Server 2025. Administrators are strongly advised to install the patch as soon as possible and to reboot systems afterward to ensure the update takes effect.
If organizations are unable to apply patches immediately, they can temporarily disable the WSUS Server Role if it is not in use or blocking inbound network traffic to ports 8530 and 8531 on the host firewall.