Attackers are now exploiting a critical-severity Windows Server Update Service (WSUS) vulnerability, which already has publicly available proof-of-concept exploit code.
Tracked as CVE-2025-59287, this remote code execution (RCE) flaw affects only Windows servers with the WSUS Server role enabled to act as an update source for other WSUS servers within the organization (a feature that isn’t enabled by default).
Threat actors can exploit this vulnerability remotely in low-complexity attacks that don’t require privileges or user interaction, allowing them to run malicious code with SYSTEM privileges. Under these conditions, the security flaw could also be potentially wormable between WSUS servers.
On Thursday, Microsoft released out-of-band security updates for all impacted Windows Server versions to “comprehensively address CVE-2025-59287,” and advised IT administrators to install them as soon as possible:
Microsoft also shared workarounds for admins who can’t immediately deploy the emergency patches, including disabling the WSUS Server role on vulnerable systems to remove the attack vector.
Over the weekend, cybersecurity firm HawkTrace Security released proof-of-concept exploit code for CVE-2025-59287 that doesn’t allow arbitrary command execution.
Exploited in the wild
Dutch cybersecurity firm Eye Security reported earlier today that it has already observed scanning and exploitation attempts this morning, with at least one of its customers’ systems compromised using a different exploit than the one shared by Hawktrace over the weekend.
Also, while WSUS servers aren’t usually exposed online, Eye Security says it found roughly 2,500 instances worldwide, including 250 in Germany and about 100 in the Netherlands.
American cybersecurity company Huntress also found evidence of CVE-2025-59287 attacks targeting WSUS instances with their default ports (8530/TCP and 8531/TCP) exposed online starting Thursday, October 23.
“We expect exploitation of CVE-2025-59287 to be limited; WSUS is not often exposing ports 8530 and 8531. Across our partner base, we have observed ~25 hosts susceptible,” Huntress said.
In the attacks observed by Huntress, the threat actors executed a PowerShell command that performed reconnaissance of the internal Windows domain, which was then sent to a webhook.
This data included the output from the following commands:
whoami – The currently logged in user name.
net user /domain – Lists every user account in the Windows domain.
ipconfig /all – Display the network configuration for all network interfaces.
The Netherlands National Cyber Security Centre (NCSC-NL) confirmed the two companies’ findings today, advising admins of the increased risk given that a PoC exploit is already available.
“The NCSC has learned from a trusted partner that exploitation of the vulnerability with identifier CVE-2025-59287 was observed on October 24, 2025,” the NCSC-NL warned in a Friday advisory.
“It is not common practice for a WSUS service to be publicly accessible via the internet. Public proof-of-concept code for the vulnerability is now available, increasing the risk of exploitation.”
Microsoft has classified CVE-2025-59287 as “Exploitation More Likely,” indicating it is an appealing target for attackers; however, it has not yet updated its advisory to confirm active exploitation.
Update October 24, 13:51 EDT: Added more details on active exploitation from Huntress Labs.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
