Microsoft issues emergency patch for critical, actively exploited WSUS flaw

On October 23, 2025, Microsoft issued an out-of-band security update for CVE-2025-59287, a critical remote code execution vulnerability in Windows Server Update Services (WSUS).

The flaw was initially addressed during October's Patch Tuesday, but required a follow-up fix to fully remediate the issue. A day after the emergency update was issued, the vulnerability was confirmed as being actively exploited.

The first proof-of-concept (PoC) exploit published on October 21 demonstrated how a malicious payload could trigger the issue and achieve SYSTEM-level code execution. Microsoft has classified the vulnerability as “Exploitation More Likely,” though its advisory has not yet been updated to reflect confirmed exploitation.

The issue affects all supported versions of Windows Server running the WSUS role, in configurations when WSUS servers are exposed to the internet or lack proper network segmentation. It carries a Common Vulnerability Scoring System (CVSS) score of 9.8.

WSUS is a widely used patch management tool that allows organizations to centrally distribute Microsoft updates. If exposed to the internet or accessed by an attacker within the internal network, the vulnerability enables unauthenticated code execution with full control of the WSUS server. The flaw is wormable between WSUS servers and requires no user interaction.

The WSUS role is not enabled by default. Disabling it prevents exploitation, but Microsoft warns that re-enabling it without first applying the October 23 update reintroduces the vulnerability. The emergency update is cumulative and requires a system reboot.

Organizations relying on automatic updates will receive the fix without manual intervention, while those using manual patching workflows are advised to verify deployment status immediately.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up

Analyst insight

The vulnerability’s unauthenticated nature and SYSTEM-level impact make it a high-priority concern for security teams. WSUS is commonly deployed in internal networks and often integrated with Active Directory.

Recommended mitigations include applying the October 23 update. For environments where patching is delayed, temporary workarounds include:

• Disabling the WSUS role
• Blocking inbound traffic on ports 8530 and 8531 at the host firewall level

Since enabling WSUS without first installing the update would reintroduce the flaw, it’s critical to apply the out-of-band patch before reenabling WSUS. Administrators are advised to confirm that WSUS services are not internet-facing or running in the background, and that ports 8530 and 8531 are closed.

WSUS deployments are advised to operate behind perimeter firewalls and restrict access to trusted internal sources only. Microsoft’s WSUS deployment documentation outlines secure architecture practices that can reduce exposure.