—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Remote Code Execution Vulnerability in Windows Server Update Service (WSUS) 

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: CRITICAL

Software Affected

Windows Server 2012 R2 (Server Core installation) versions prior to 6.3.9600.22826

Windows Server 2012 R2 versions prior to 6.3.9600.22826

Windows Server 2012 (Server Core installation) versions prior to 6.2.9200.25728

Windows Server 2012 versions prior to 6.2.9200.25728

Windows Server 2016 (Server Core installation) versions prior to 10.0.14393.8524

Windows Server 2016 versions prior to 10.0.14393.8524

Windows Server 2019 (Server Core installation) versions prior to 10.0.17763.7922

Windows Server 2019 versions prior to 10.0.17763.7922

Windows Server 2022 (Server Core installation) versions prior to 10.0.20348.4297

Windows Server 2022 versions prior to 10.0.20348.4297

Windows Server 2022, 23H2 Edition (Server Core installation) versions prior to 10.0.25398.1916

Windows Server 2025 (Server Core installation) versions prior to 10.0.26100.6905

Windows Server 2025 versions prior to 10.0.26100.6905

Overview

A critical vulnerability has been reported in Windows Server Update Service, which may allow an unauthenticated remote attacker to execute arbitrary code on the targeted vulnerable system.

Target Audience:

System administrators, IT professionals, and security teams responsible for managing or maintaining Windows Server environments.

Risk Assessment:

High risk of arbitrary code execution, privilege escalation, and malicious update distribution.

Impact Assessment:

Potential for full system takeover, sensitive information disclosure, and disruption of services.

Description

The vulnerability exists due to improper deserialization of untrusted data within WSUS web services. A remote, unauthenticated attacker could exploit this flaw by sending specially crafted HTTP requests to WSUS.

Successful exploitation could allow an unauthenticated attacker to execute arbitrary code on the targeted system.

Note: CVE-2025-59287 is being actively exploited in the wild.

Workaround

Disable the WSUS Server Role and block inbound traffic to Ports 8530 and 8531 on the host firewall.

Solution

Apply the security updates released by Microsoft:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287

Vendor Information

Microsoft

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287

References

Microsoft

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287

CVE Name

CVE-2025-59287

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmkCIq0ACgkQ3jCgcSdc

ys8zdQ/9FQrjSRw7HkGBTxZ5uq4+TwxQ28Z3ipBMND00YVp94nVD4rkiwDHiLfix

c4+jFconIE9vAhfO9vTePwPGAyXCHlfeOs1Jpigft0bE6a9gMUIiSSnsRwx/i18u

MDLGDDWQ6u52IpWljNXf6Zp/XLxpoc9LtQrg1Q4l4bbzlzMKDkbL3gzbedg09106

ZPl8w6GV8qmABgVoD0qFz7v0oeS7Qm/HJXDSGX8WehUQzY+iTVLvHDfU7wTAMZbN

HhPlLguIlNWEKjIbU5/RJpybFMl9NDnwCZNEZH0qV30qTfUqNsZEusi8Ox69/oz5

MHGqZPK+KeD2uf+IHQLVXMEcvZH4MCV68tATEqj5UmyeIxVq6UN9aTSkxco6YrYw

J3bxCCeyZwjWExtUOXXaKPUZ2KoECryy0QO0MQtN50QHpGGhBNIWEB1TQ7mKFwge

85MiY8ndk4YtlBJ9gGxNxAu8X7vJ5BrSV0XbCPT/EcQJvmUi4yPbKZbVEb2J5K9O

PYmjbX0gFQ6JBrKwXU7KoG5V8bCaSADM1BJnaCmq2c4VEPyFDEtwff6HuqaPEhqY

eQF/XGa05qOHkf3ahJQtEMNeqK+PRJVPQgthOOLBT1LXqFdRXDFl7adFPD2cLAAt

DRmE04pgq4G5GdGGhyiDFpAxb1q400WD1n/tpbLGZ1UlyCzZSO0=

=mr9M

—–END PGP SIGNATURE—–