- CISA adds critical WSUS bug CVE-2025-59287 to its KEV catalog
- Microsoft issued emergency patch after real-world exploitation reports surfaced
- Over 2,800 WSUS servers exposed; agencies must patch by November 14
The US Cybersecurity and Infrastructure Security Agency (CISA) has added a new bug to its Known Exploited Vulnerabilities (KEV) catalog, warning Federal agencies about in-the-wild abuse, and giving them a three-week deadline to patch.
Microsoft recently pushed an emergency patch to fix a “deserialization of untrusted data” vulnerability found in Windows Server Update Service (WSUS) – a tool allowing IT admins to manage patching computers within their network.
The flaw, tracked as CVE-2025-59287, was given a severity score of 9.8/10 (critical), as it apparently allows for remote code execution (RCE) attacks. It can be abused in low-complexity attacks, without user interaction, granting unauthenticated, unprivileged threat actors the ability to run malicious code with SYSTEM privileges. In theory, it would allow them to pivot and infect other WSUS servers, too.
Patch Tuesday fixes
The issue was first addressed in October 2025’s Patch Tuesday cumulative update, but since news broke of real-life attacks, Microsoft released an emergency fix, as well.
Since then, multiple security agencies found evidence of the flaw being leveraged in attacks. For example, Huntress saw WSUS instances being attacked through publicly exposed default ports (8530/TCP and 8531/TCP), while Eye Security, on the other hand, saw at least one of its customers successfully breached. In its security advisory, Microsoft still keeps the flaw labeled as “exploitation more likely”, “not publicly disclosed”, and “not exploited”.
Shadowserver Foundation, the internet watchdog group tracking the abuse of various vulnerabilities, claims that there are more than 2,800 WSUS instances with default ports exposed online. Some of them are most likely patched already, so the attack surface is probably a little smaller than that.
Now, CISA added CVE-2025-59287 to KEV, giving Federal Civilian Executive Branch (FCEB) agencies until November 14 to patch up, or stop using the vulnerable product altogether.
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
