Update Windows Server to patch WSUS vulnerability

A Remote Code Execution (RCE) vulnerability (CVE-2025-59287) in the Windows Server Update Services (WSUS) is reportedly being actively exploited in the wild. It is urgent that you apply the out-of-band security update now from Microsoft to address the vulnerability immediately for Windows Server machines that have the WSUS Server role enabled. 

The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

WSUS is a tool that helps manage and distribute Microsoft updates across multiple computers. It can be exploited remotely in low-complexity attacks that do not require user interaction, allowing threat actors without privileges to target vulnerable systems and run malicious code with SYSTEM privileges. This makes it potentially wormable between WSUS servers.

The critical vulnerability is reportedly being actively exploited in the wild.

Apply the out-of-band security update from Microsoft to comprehensively address the vulnerability. The update that Microsoft previously released on Tuesday, October 14, 2025, did not patch the CVE-2025-59287 vulnerability.

If the update cannot be implemented immediately, either temporarily disable the WSUS server role or render WSUS non-operational by blocking inbound traffic to Ports 8530 and 8531 on the host firewall.

The vulnerability is a deserialization of untrusted data that may allow an unauthorized attacker to execute code on vulnerable machines by sending a specially crafted event to the WSUS server. It does not require user interaction.

ITS provides CrowdStrike Falcon to units, which should be installed on all U-M owned systems (Windows, macOS, and Linux operating systems, whether workstations or servers). Falcon administrators in ITS and in U-M units use the Falcon console to investigate and remediate issues.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Scams, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Please contact ITS Information Assurance through the ITS Service Center.

• Microsoft releases urgent fix for actively exploited WSUS vulnerability (CVE-2025-59287) (Help Net Security, 10/24/25)
• Windows Server Update Service (WSUS) Remote Code Execution Vulnerability (Microsoft, 10/24/25)
• Windows Server emergency patches fix WSUS bug with PoC exploit (Bleeping Computer, 10/24/25)
• Critical Windows Server WSUS Vulnerability Exploited in the Wild (Security Week, 10/24/25)
• Newly Patched Critical Microsoft WSUS Flaw Comes Under Active Exploitation (The Hacker News, 10/24/25)