Microsoft has released an out-of-band patch to address a vulnerability within Windows Server Update Services (WSUS). The vulnerability was initially published as a proof of concept by Hawktrace, but Huntress recently announced that they have observed the flaw being exploited in the wild within four customer accounts.
WSUS is a Microsoft service that allows IT administrators to manage and distribute updates across devices on their corporate network.
The exploitation takes advantage of an unsafe deserialization bug, which allows unauthenticated attacker accounts to run code remotely. Microsoft explained that “[a] remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism, resulting in remote code execution.”
On disclosure, the vulnerability (CVE-2025-59287) was given a CVSS of 9.8, classifying it as critical, and Microsoft has released an out-of-band patch to address the issue.
However, Huntress’ observations highlight that businesses have not been fast enough to apply this patch, and attackers are leveraging that delay to exploit this vulnerability in the wild.
In their blog, Huntress researchers explained that the attack involved a “spawning Command Prompt and PowerShell via the HTTP worker process and WSUS service binary. A base64-encoded payload was decoded and executed in PowerShell; the payload enumerated servers for sensitive network and user information and extracted results to a remote webhook.’”
As the vulnerability doesn’t require privileges or user interaction to exploit, it’s relatively straightforward for attackers to leverage it to run malicious code with SYSTEM privileges.
BleepingComputer explains that the data that can be exfiltrated via this security issue includes:
- whoami – The currently logged in user name.
- net user /domain – Lists every user account in the Windows domain.
- ipconfig /all – Display the network configuration for all network interfaces.
Urgent Action Required
Microsoft has released a patch for the vulnerability, available for all Microsoft servers from 2012 to 2025, with a post-install reboot required.
