Windows Server Update Services bug exploited in the wild

By
Follow google news

Out-of-band update available from Microsoft.

Security researchers at Huntress have discovered active exploitation of a remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS) that Microsoft issued an out-of-band patch for this month.

Windows Server Update Services bug exploited in the wild

WSUS is used by enterprise administrators to manage and distribute updates across corporate networks.

Another security vendor, Hawktrace, published a technical analysis of the vulnerability that is indexed as CVE-2025-59287, saying an unsafe deserialisation bug allows unauthenticated attackers to remotely execute code, with elevated SYSTEM privileges.

Hawktrace published a proof-of-concept (PoC) for the vulnerability, and Huntress now said it has observed threat actors exploiting the flaw across four of its customers.

Microsoft rated the vulnerability as 9.8 out of 10, with critical severity.

It has also been added to the United States Cybersecurity Infrastructure Agency (CISA) Known Exploited Vulnerabilities catalogue.

So far, the exploitation activity that Huntress researchers observed involved spawning command prompts and PowerShell, with a Base64-encoded payload being executed to enumerate servers, to glean sensitive network and user information.

That information was exfiltrated to a remote webhook site, Huntress found.

As WSUS servers are not usually exposed to the internet, Huntress expects that in-the-wild exploitation of the vulnerability will be limited.

The security vendor saw approximately 25 hosts susceptible to the attack across its partner base.

It strongly recommends blocking inbound traffic to TCP ports 8530 and 8531 for all but management hosts and Microsoft Update servers that explicitly require access to users' WSUS infrastructure.

CVE-2025-59287 exploits a .NET language serialisation class called BinaryFormatter, which Microsoft said cannot be made secure and which should not be used.

It was removed in .NET version 9, which was released in 2024.

Patches from Microsoft are available for Windows Server 2012 to 2025, with reboots required after updating.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
securitywindows serverwindows server update services

Sponsored Whitepapers

2026 Engineering Reality Report
2026 Engineering Reality Report
How Kraft Heinz Transformed Planning with AI & 5 M+ Data Sets
How Kraft Heinz Transformed Planning with AI & 5 M+ Data Sets
Defend Your Network from the Next Generation of AI Threats
Defend Your Network from the Next Generation of AI Threats
Optus Enterprise Mobility
Optus Enterprise Mobility
Life After VMware: Scale Securely with mCloud by Micron21
Life After VMware: Scale Securely with mCloud by Micron21

Events

Most Read Articles

Euro cops take down cybercrime network with 49 million fake accounts

Euro cops take down cybercrime network with 49 million fake accounts
Australia's new cyber affairs ambassador sourced from ASD

Australia's new cyber affairs ambassador sourced from ASD
Microsoft breaks Windows 11 Recovery Environment in October update

Microsoft breaks Windows 11 Recovery Environment in October update
QLD government retires CISO position title

QLD government retires CISO position title
techpartner.news logo
Sydney-based AI-cloud waste startup raises $3m
Sydney-based AI-cloud waste startup raises $3m
Brennan uses NiCE to modernise its contact centre
Brennan uses NiCE to modernise its contact centre
Impact Awards: Tecala slashes customer response times for fintech IQumulate
Impact Awards: Tecala slashes customer response times for fintech IQumulate
Interactive introduces private cloud platform
Interactive introduces private cloud platform
Digital61 expands cybersecurity portfolio
Digital61 expands cybersecurity portfolio

Log In

  |  Forgot your password?