Summary
| Vulnerability Name | WSUS Remote Code Execution Vulnerability (CVE-2025-59287) |
| Released on | October 27, 2025 |
| Affected Component | Windows Server Update Services (WSUS) |
| Affected Version |
Windows Server 2025 (Server Core installation)
Windows Server 2025
Windows Server 2022, 23H2 Edition (Server Core installation)
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
|
| Vulnerability Type | Remote code execution |
| Exploitation Condition |
1. User authentication: not required.
2. Preconditions:
Windows Server has installed the WSUS Server role and enabled the WSUS service.
3. Trigger mode: remote.
|
| Impact |
Exploitation difficulty: easy. Attackers can exploit this vulnerability to execute arbitrary code on target systems without authorization.
Severity: high-risk. This vulnerability can lead to remote code execution.
|
| Official Solution | Available |
About the Vulnerability
Component Introduction
WSUS is a centralized update management service provided by Microsoft, which is mainly used for the unified downloading, distribution, and deployment of patches and updates for Windows systems and Microsoft products within enterprises or organizations. Through WSUS, administrators can obtain latest patches from Microsoft update servers, and review and test them on a local server before they are distributed to internal clients. This way, endpoints do not need to directly access the Internet to obtain updates. This saves bandwidth and enhances security.
Vulnerability Description
On October 27, 2025, Sangfor FarSight Labs received notification of the remote code execution vulnerability in WSUS (CVE-2025-59287), classified as high-risk in threat level.
Specifically, WSUS contains a remote code execution vulnerability that allows unauthenticated remote attackers to send specially crafted events that trigger unsafe object deserialization in a legacy serialization mechanism, which may result in remote code execution.
Affected Versions
The following Windows Server versions are affected:
Windows Server 2025 (Server Core installation)
Windows Server 2025
Windows Server 2022, 23H2 Edition (Server Core installation)
Windows Server 2022 (Server Core installation)
Windows Server 2022
Windows Server 2019 (Server Core installation)
Windows Server 2019
Windows Server 2016 (Server Core installation)
Windows Server 2016
Windows Server 2012 R2 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 (Server Core installation)
Windows Server 2012
Solutions
Remediation Solution
Temporary Solution
We recommend that you disable the WSUS Server role on the premises that business operations are not affected.
Alternatively, you can configure policies on the host firewall to block inbound traffic to ports 8530 and 8531, which are default ports of the WSUS service.
Official Solution
The latest version has been officially released to fix the vulnerability. Affected users are advised to update Windows Server to the latest version.
Download link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
Timeline
On October 14, 2025, Sangfor FarSight Labs received notification of the remote code execution vulnerability in WSUS (CVE-2025-59287).
On October 27, 2025, Sangfor FarSight Labs released a vulnerability alert.
References
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
Learn More
Sangfor FarSight Labs researches the latest cyber threats and unknown zero-day vulnerabilities, alerting customers to potential dangers to their organizations, and providing real-time solutions with actionable intelligence. Sangfor FarSight Labs works with other security vendors and the security community at large to identify and verify global cyber threats, providing fast and easy protection for custom
