A serious security flaw has been discovered in Microsoft’s Windows Server Update Services (WSUS), and experts warn it is already being exploited by hackers. The vulnerability, identified as CVE-2025-59287, carries a severity score of 9.8 out of 10, making it one of the most dangerous recent threats to Windows servers.
The flaw was revealed earlier this month and stems from the deserialization of untrusted data in WSUS, which IT administrators use to manage and distribute Windows updates within organizations. According to cybersecurity firm Huntress, attackers are using the bug to gain full control over vulnerable servers.
Researchers at Hawktrace, who discovered the issue, explained that it occurs in how WSUS handles encrypted cookies. A crafted request sent to certain endpoints can allow an attacker to execute code remotely with system-level privileges — effectively taking over the server.
After Microsoft released an emergency update on October 23, Huntress reported that hackers began targeting publicly exposed WSUS web services almost immediately. These attackers used proxy networks to hide their locations and sent malicious commands that gathered user and network data from infected systems before sending it to remote servers.
Also Read: ChatGPT’s new browser has potential, if you’re willing to pay
Huntress said only a small number of systems appear vulnerable since WSUS is rarely exposed online, noting that just 25 instances were found open on the targeted network ports (8530 and 8531). Even so, the company urged all users to take the threat seriously.
Microsoft has released security updates for Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025. Users with automatic updates enabled will receive the fix automatically, but those who update manually can find the patch in the Microsoft Update Catalog.
For systems that cannot be patched immediately, Microsoft recommends blocking inbound traffic on ports 8530 and 8531 to prevent attacks, though this will temporarily disable WSUS updates. Servers without the WSUS role enabled are not affected.
Cybersecurity experts are warning organizations to act quickly. “Attackers are exploiting this in real time. Systems should be patched or taken offline until they are secured,” Huntress cautioned.
Email your news TIPS to Editor@Kahawatungu.com — this is our only official communication channel
