Cybersecurity researchers have confirmed active exploitation of a critical Windows Server Update Services (WSUS) vulnerability just hours after Microsoft released emergency patches, with threat actors already compromising multiple organizations in sophisticated "hands-on-keyboard" attacks.
The vulnerability, tracked as CVE-2025-59287, is a remote code execution flaw affecting Windows servers with the WSUS Server role enabled—a feature that helps IT administrators centrally manage and distribute Microsoft updates across their networks. The flaw has been assigned a critical CVSSv3 score of 9.8, allowing unauthenticated attackers to execute malicious code with SYSTEM-level privileges.
Security firms Huntress and Eye Security detected the first exploitation attempts beginning around October 23, 2025, at 23:34 UTC. According to Huntress, attackers targeted WSUS instances publicly exposed on default ports 8530 and 8531, sending specially crafted requests that triggered unsafe deserialization of untrusted data.
"The threat actor had capabilities beyond that of a script kiddie," noted Piet Kerkhofs, CTO of Eye Security. "We can reproduce the RCE and it feels like it's complex enough to be a state actor or advanced ransomware gang that has weaponized the CVE in only a few days."
The attacks followed a disturbing pattern: once exploited, the WSUS service spawned Command Prompt and PowerShell processes that executed base64-encoded payloads. These payloads conducted network reconnaissance—identifying logged-in users, listing Active Directory domain accounts, and gathering network configurations—before exfiltrating the data to remote webhook sites controlled by attackers.
Eye Security discovered approximately 8,000 internet-facing servers with vulnerable ports exposed, though not all may be susceptible to attack. Meanwhile, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-59287 to its Known Exploited Vulnerabilities catalog, directing federal agencies to mitigate the flaw by November 14, 2025.
Microsoft released out-of-band security updates on October 23, 2025, for all affected Windows Server versions—including Server 2012 R2 through Server 2025. The patches require a system reboot to take effect. For organizations unable to patch immediately, Microsoft recommends disabling the WSUS Server role or blocking inbound traffic to ports 8530 and 8531 at the host firewall level.
The vulnerability was discovered by security researcher Markus Wulftange of CODE WHITE GmbH. With proof-of-concept exploit code now publicly available online, security experts warn that exploitation attempts will likely intensify in the coming days, making immediate patching critical for any organization running WSUS servers.