Critical WSUS RCE (CVE-2025-59287) being exploited — patch now!
What happened?
On October 23–24, 2025, security teams observed real-world exploitation of a deserialization bug in Windows Server Update Services (WSUS), tracked as CVE-2025-59287. The flaw allows specially crafted requests to WSUS web services to trigger remote code execution on affected servers. Attackers have actively targeted WSUS instances that are reachable on the default WSUS ports (TCP 8530 for HTTP and 8531 for HTTPS). Huntress
How attackers abused it
According to incident investigators, exploitation involved sending multiple crafted POST requests to WSUS web endpoints. Successful exploits spawned system shells (cmd.exe) and PowerShell under either the WSUS service process (wsusservice.exe) or the IIS worker process (w3wp.exe), allowing the execution of arbitrary commands and data collection from the compromised host. Observed payloads included base64-encoded PowerShell one-liners that enumerated user and network information and exfiltrated output to a remote webhook. Proxy networks were used to obscure attacker origin. Huntress
Who is at risk?
Any Windows Server running WSUS that is not updated and that exposes WSUS endpoints to untrusted networks is at risk — especially servers with ports 8530/8531 open to the internet. In practice, the researchers observed a limited number of susceptible hosts, but exploitation is serious because WSUS often runs with elevated privileges and has access to broad parts of an environment. Huntress
Indicators & forensic artifacts to check
If you suspect exploitation, review the following artifacts and logs:
WSUS software log: C:\Program Files\Update Services\LogFiles\SoftwareDistribution.log.
IIS access logs: C:\inetpub\logs\LogFiles\W3SVC*\u_ex*.log — look for POST to WSUS web services such as ReportingWebService.asmx, SimpleAuthWebService.asmx, ClientWebService/Client.asmx, and ApiRemoting30/WebService.asmx.
Suspicious process chains: wsusservice.exe → cmd.exe → cmd.exe → powershell.exe or w3wp.exe → cmd.exe → cmd.exe → powershell.exe.
Common enumeration commands observed: whoami; net user /domain, net user /domain; ipconfig /all.
Evidence of HTTP exfiltration to attacker-controlled webhooks (e.g., curl.exe or Invoke-WebRequest sending data). Huntress
Immediate actions (what you should do right now)
Apply Microsoft’s out-of-band update for CVE-2025-59287. This is the primary mitigation; install the security update appropriate for your Windows Server and WSUS version as recommended by Microsoft. Huntress
Block external access to WSUS. Restrict inbound access to TCP 8530/8531 to only trusted management hosts and Microsoft Update endpoints. For almost all organizations, WSUS should never be directly reachable from the public internet. Huntress
Hunt for signs of compromise. Check the files and logs listed above, search for the process chains and the enumeration commands, and look for outgoing connections to suspicious webhook domains or IPs. If you find evidence, isolate the host and begin incident response procedures. Huntress
Contain and remediate. If exploitation is confirmed, collect volatile forensic data, preserve logs, and consider a full rebuild if persistence or deeper compromise is suspected. Apply the patch and harden network access before returning systems to production.
Detection tips
Alert on new instances of w3wp.exe or wsusservice.exe spawning cmd.exe or powershell.exe.
Monitor IIS POST activity to WSUS endpoints that include unusual payload sizes or repeated POSTs in rapid succession.
Flag outbound HTTP/HTTPS requests from WSUS servers to unknown external domains or IPs (especially to webhook-like endpoints).
Use WSUS and IIS logs to correlate suspicious timestamps with process creation events from EDR or Sysmon.
Longer-term recommendations
Treat management infrastructure (like WSUS) as crown-jewel assets: put them on isolated management networks, enforce strict allowlists, and limit administrative access.
Maintain a timely patching cadence for infrastructure components and subscribe to security advisories from vendors.
Harden logging and retention so investigations can reconstruct activity windows even after attackers attempt to erase traces.
