Attackers are now exploiting a critical-severity Windows Server Update Service (WSUS) vulnerability, which already has publicly available proof-of-concept exploit code.
Tracked as CVE-2025-59287, this remote code execution (RCE) flaw affects only Windows servers with the WSUS Server role enabled to act as an update source for other WSUS servers within the organization (a feature that isn’t enabled by default).
Threat actors can exploit this vulnerability remotely in low-complexity attacks that don’t require privileges or user interaction, allowing them to run malicious code with SYSTEM privileges. Under these conditions, the security flaw could also be potentially wormable between WSUS servers.
On Thursday, Microsoft released out-of-band security updates for all impacted Windows Server versions to “comprehensively address CVE-2025-59287,” and advised IT administrators to install them as soon as possible:
Microsoft also shared workarounds for admins who can’t immediately deploy the emergency patches, including disabling the WSUS Server role on vulnerable systems to remove the attack vector.
Over the weekend, cybersecurity firm HawkTrace Security released proof-of-concept exploit code for CVE-2025-59287 that doesn’t allow arbitrary command execution.
Exploited in the wild
Dutch cybersecurity firm Eye Security reported earlier today that it has already observed scanning and exploitation attempts this morning, with at least one of its customers’ systems compromised using a different exploit than the one shared by Hawktrace over the weekend.
Also, while WSUS servers aren’t usually exposed online, Eye Security says it found roughly 2,500 instances worldwide, including 250 in Germany and about 100 in the Netherlands.
The Netherlands National Cyber Security Centre (NCSC-NL) confirmed Eye Security’s findings today, advising admins of the increased risk given that a PoC exploit is already available.
“The NCSC has learned from a trusted partner that exploitation of the vulnerability with identifier CVE-2025-59287 was observed on October 24, 2025,” the NCSC-NL warned in a Friday advisory.
“It is not common practice for a WSUS service to be publicly accessible via the internet. Public proof-of-concept code for the vulnerability is now available, increasing the risk of exploitation.”
Microsoft has classified CVE-2025-59287 as “Exploitation More Likely,” indicating it is an appealing target for attackers; however, it has not yet updated its advisory to confirm active exploitation.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
VIA: bleepingcomputer.com
