CVE-2025-59287
Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability - [Actively Exploited]
Description
Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.
INFO
Published Date :
Oct. 14, 2025, 5:16 p.m.
Last Modified :
Nov. 12, 2025, 2:33 p.m.
Remotely Exploit :
No
Source :
[email protected]
CISA KEV (Known Exploited Vulnerabilities)
For the benefit of the cybersecurity community and network defenders—and to help every organization better manage vulnerabilities and keep pace with threat activity—CISA maintains the authoritative source of vulnerabilities that have been exploited in the wild.
Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-59287 ; https://nvd.nist.gov/vuln/detail/CVE-2025-59287
Affected Products
The following products are affected by CVE-2025-59287
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | CRITICAL | f38d906d-7342-40ea-92c1-6c4a2c6478c8 | ||||
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Apply the latest security updates.
- Restart affected services if required.
- Verify update installation.
Public PoC/Exploit Available at Github
CVE-2025-59287 has a 40 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-59287.
| URL | Resource |
|---|---|
| https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287 | Vendor Advisory |
| https://hawktrace.com/blog/CVE-2025-59287 | Exploit Third Party Advisory |
| https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-windows-server-wsus-flaw-exploited-in-attacks/ | Press/Media Coverage |
| https://www.vicarius.io/vsociety/posts/cve-2025-59287-detection-script-rce-vulnerability-in-windows-server-update-service | Third Party Advisory |
| https://www.vicarius.io/vsociety/posts/cve-2025-59287-mitigation-script-rce-vulnerability-in-windows-server-update-service | Mitigation Third Party Advisory |
| https://gist.github.com/hawktrace/880b54fb9c07ddb028baaae401bd3951 | Third Party Advisory |
| https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59287 | Third Party Advisory US Government Resource |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-59287 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-59287
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
🧭 Identify WSUS server configurations across Group Policy Objects and hidden preferences, helping secure your infrastructure from potential exploits.
college-project coughacks hackathon nextjs python react web-scraping
PowerShell
None
Python
Collection of Powershell scripts
PowerShell
Unauthenticated RCE PoC in Microsoft Windows Server Update Service (WSUS) - CVE-2025-59287 & CVE-2023-35317
cve-2023-35317 cve-2025-59287
Python
None
cve cve-2025-59287 cybersecurity exploit rce vulnerability windows windows-update wsus-vulnerability
Comprehensive Proof of Concept collection for CVE-2025-11953, CVE-2025-59287, CVE-2025-8941 with exploitation frameworks in Python, C, Bash, PowerShell
Shell Python
CVE-2025-59287 WSUS RCE Exploit
Python
Honeypot collection
Dockerfile Python Shell HTML
WSUS vulnerability PoC
cve-2025-59287
Python
Cerberus-CVE Assessment Situation
Python
Exploitation proof-of-concept for CVE-2025-59287 - a critical vulnerability in the Windows Server Update Service (WSUS) caused by the deserialization of untrusted data. This flaw allows an unauthorized attacker to execute arbitrary code over a network, posing a significant security risk.
C# Batchfile Python
WSUS vulnerability PoC
cve-2025-59287 wsus-vulnerability
Python
Exploit script written in C# to aid gaining a reverse shell on targets with Windows Server Update Service(WSUS) CVE-2025-59287.
cve-2025-59287 exploit wsus-vulnerability cve vulnerability windows
C#
CVE-2025-59287 注入WolfShell内存马
Passive observation and analysis of WS-Man / CIM (SOAP over HTTP/HTTPS) traffic for defensive detection, host-network correlation, and incident triage. No offensive capabilities in mainline; lab-only features must be explicitly gated.
Python Shell PowerShell
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-59287 vulnerability anywhere in the article.
-
The Hacker News
ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access
Nov 24, 2025Ravie LakshmananMalware / Vulnerability A recently patched security flaw in Microsoft Windows Server Update Services (WSUS) has been exploited by threat actors to distribute malware know ... Read more
-
The Hacker News
Matrix Push C2 Uses Browser Notifications for Fileless, Cross-Platform Phishing Attacks
Bad actors are leveraging browser notifications as a vector for phishing attacks to distribute malicious links by means of a new command-and-control (C2) platform called Matrix Push C2. "This browser- ... Read more
-
CybersecurityNews
Chinese Hackers Exploiting WSUS Remote Code Execution Vulnerability to Deploy ShadowPad Malware
Chinese-backed attackers have begun weaponizing a critical vulnerability in Microsoft Windows Server Update Services (WSUS) to distribute ShadowPad, a sophisticated backdoor malware linked to multiple ... Read more
-
Huntress
Velociraptor WSUS Exploitation, Pt. I: WSUS-Up?
In November, Huntress analysts detected an incident where threat actors likely exploited a recently patched remote code execution vulnerability in Windows Server Update Services (WSUS). After gaining ... Read more
-
The Cyber Express
Microsoft Patch Tuesday November 2025: Fixes 63 Security Flaws and One Zero-Day Exploit
Microsoft’s November Patch Tuesday release for 2025 has delivered fixes for 63 security flaws across its software portfolio, including one zero-day vulnerability already being exploited in the wild. T ... Read more
-
Help Net Security
November 2025 Patch Tuesday forecast: Windows Exchange Server EOL?
October 2025 Patch Tuesday was one for the record books in so many ways. There was a big push by Microsoft to fix as many open vulnerabilities as possible in products that were reaching end-of-life (E ... Read more
-
The Cyber Express
Apple Rolls Out iOS 26.1 and iPadOS 26.1 With Critical Security Fixes
Apple has released a new round of security updates for its mobile platforms, introducing iOS 26.1 and iPadOS 26.1. The latest Apple security updates are available for a wide range of devices. iPhone m ... Read more
-
CybersecurityNews
Hackers Actively Scanning for TCP Port 8530/8531 Linked to WSUS Vulnerability CVE-2025-59287
Cybersecurity researchers and firewall monitoring services have detected a dramatic surge in reconnaissance activity targeting Windows Server Update Services (WSUS) infrastructure. Network sensors col ... Read more
-
CybersecurityNews
Apple Patches Multiple Critical Vulnerabilities in iOS 26.1 and iPadOS 26.1
Apple released iOS 26.1 and iPadOS 26.1, addressing multiple vulnerabilities that could lead to privacy breaches, app crashes, and potential data leaks for iPhone and iPad users. The update targets de ... Read more
-
CybersecurityNews
Microsoft Patch for WSUS Vulnerability has Broken Hotpatching on Windows Server 2025
In a recent setback for Windows administrators, Microsoft’s October 2025 security update addressing a critical vulnerability in Windows Server Update Services (WSUS) has inadvertently broken hotpatchi ... Read more
-
BleepingComputer
Microsoft: Patch for WSUS flaw disabled Windows Server hotpatching
An out-of-band (OOB) security update that patches an actively exploited Windows Server Update Service (WSUS) vulnerability has broken hotpatching on some Windows Server 2025 devices. KB5070881, the em ... Read more
-
Help Net Security
Week in review: WSUS vulnerability exploited to drop Skuld infostealer, PoC for BIND 9 DNS flaw published
Here’s an overview of some of last week’s most interesting news, articles, interviews and videos: Can your earbuds recognize you? Researchers are working on it Biometric authentication has moved from ... Read more
-
CybersecurityNews
Hackers Exploiting Windows Server Update Services Flaw to Steal Sensitive Data from Organizations
Windows Server Update Services (WSUS) vulnerability is actively exploited in the wild. Criminals are using this vulnerability to steal sensitive data from organizations in various industries. The vuln ... Read more
-
Ars Technica
Two Windows vulnerabilities, one a 0-day, are under active exploitation
Two Windows vulnerabilities—one a zero-day that has been known to attackers since 2017 and the other a critical flaw that Microsoft initially tried and failed to patch recently—are under active exploi ... Read more
-
Help Net Security
Unpatched Windows vulnerability continues to be exploited by APTs (CVE-2025-9491)
A Windows vulnerability (CVE-2025-9491, aka ZDI-CAN-25373) that state-sponsored threat actors and cybercrime groups have been quietly leveraging since at least 2017 continues to be exploited for attac ... Read more
-
hackread.com
Hackers Exploit WSUS Flaw to Spread Skuld Stealer Despite Microsoft Patch
A vulnerability in the Windows Server Update Service (WSUS) is being actively exploited by cybercriminals to plant Skuld Staler malware, according to new research from the cybersecurity firm Darktrac ... Read more
-
Help Net Security
CISA and partners take action as Microsoft Exchange security risks mount
In partnership with international cybersecurity agencies, the US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Agency (NSA) outlined security best practices for org ... Read more
-
The Hacker News
CISA and NSA Issue Urgent Guidance to Secure WSUS and Microsoft Exchange Servers
Oct 31, 2025Ravie LakshmananVulnerability / Threat Intelligence The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA), along with international partner ... Read more
-
Help Net Security
Attackers exploiting WSUS vulnerability drop Skuld infostealer (CVE-2025-59287)
Attackers have been spotted exploiting the recently patched WSUS vulnerability (CVE-2025-59287) to deploy infostealer malware on unpatched Windows servers. An out-of-band update Last week’s release of ... Read more
-
security.nl
VS verzoekt organisaties om op kwetsbare Windows-servers te controleren
Het cyberagentschap van de Amerikaanse overheid heeft organisaties opgeroepen om op kwetsbare Windows-servers te controleren. Aanleiding is actief misbruik van een kritieke kwetsbaarheid in de Windows ... Read more
The following table lists the changes that have been made to the
CVE-2025-59287 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Modified Analysis by [email protected]
Nov. 12, 2025
Action Type Old Value New Value Added Reference Type CVE: https://www.vicarius.io/vsociety/posts/cve-2025-59287-detection-script-rce-vulnerability-in-windows-server-update-service Types: Third Party Advisory Added Reference Type CVE: https://www.vicarius.io/vsociety/posts/cve-2025-59287-mitigation-script-rce-vulnerability-in-windows-server-update-service Types: Mitigation, Third Party Advisory -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Nov. 11, 2025
Action Type Old Value New Value Added Reference https://www.vicarius.io/vsociety/posts/cve-2025-59287-detection-script-rce-vulnerability-in-windows-server-update-service Added Reference https://www.vicarius.io/vsociety/posts/cve-2025-59287-mitigation-script-rce-vulnerability-in-windows-server-update-service -
Modified Analysis by [email protected]
Oct. 28, 2025
Action Type Old Value New Value Added Reference Type CVE: https://hawktrace.com/blog/CVE-2025-59287 Types: Exploit, Third Party Advisory Added Reference Type CVE: https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-windows-server-wsus-flaw-exploited-in-attacks/ Types: Press/Media Coverage -
CVE Modified by af854a3a-2127-422b-91ae-364da2661108
Oct. 27, 2025
Action Type Old Value New Value Added Reference https://hawktrace.com/blog/CVE-2025-59287 Added Reference https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-windows-server-wsus-flaw-exploited-in-attacks/ -
Initial Analysis by [email protected]
Oct. 27, 2025
Action Type Old Value New Value Added CPE Configuration OR *cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:* *cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.14393.8524 *cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.17763.7922 *cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.20348.4297 *cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.25398.1916 *cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:* versions up to (excluding) 10.0.26100.6905 Added Reference Type CISA-ADP: https://gist.github.com/hawktrace/880b54fb9c07ddb028baaae401bd3951 Types: Third Party Advisory Added Reference Type Microsoft Corporation: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287 Types: Vendor Advisory Added Reference Type CISA-ADP: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59287 Types: Third Party Advisory, US Government Resource -
CVE CISA KEV Update by 9119a7d8-5eab-497f-8521-727c672e3725
Oct. 25, 2025
Action Type Old Value New Value Added Date Added 2025-10-24 Added Due Date 2025-11-14 Added Required Action Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Added Vulnerability Name Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 24, 2025
Action Type Old Value New Value Added Reference https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59287 -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Oct. 20, 2025
Action Type Old Value New Value Added Reference https://gist.github.com/hawktrace/880b54fb9c07ddb028baaae401bd3951 -
New CVE Received by [email protected]
Oct. 14, 2025
Action Type Old Value New Value Added Description Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-502 Added Reference https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287