CVE-2025-59287: 
Schwachstellenanalyse und -minderung

CVE-2025-59287 is a critical remote code execution vulnerability (CVSS 9.8) affecting Windows Server Update Services (WSUS). The vulnerability, discovered in October 2025, allows an unauthorized attacker to execute code over a network by exploiting a deserialization of untrusted data flaw in the WSUS reporting web services. It affects multiple versions of Windows Server including 2012, 2016, 2019, 2022, and 2025 with the WSUS Server Role enabled (Microsoft Update Guide, NVD).

The vulnerability stems from unsafe deserialization of AuthorizationCookie objects sent to the GetCookie() endpoint. The flaw exists in the DecryptData method where encrypted cookie data is decrypted using AES-128-CBC and subsequently deserialized through BinaryFormatter without proper type validation. The vulnerability is exposed on default WSUS ports 8530/TCP (HTTP) and 8531/TCP (HTTPS). According to Shadowserver, over 2,800 WSUS instances were found exposed with these default ports online (Hawktrace, Bleeping Computer).

The vulnerability allows unauthenticated attackers to achieve remote code execution with SYSTEM privileges. The attack requires no user interaction and can be executed with low complexity. Due to its network-based nature and high privileges gained, the vulnerability is potentially wormable and poses a significant risk to organizations using WSUS (CISA Alert).

Microsoft released an out-of-band security update on October 23, 2025, to address the vulnerability. Organizations are advised to immediately identify vulnerable servers with WSUS Server Role enabled and apply the security update. If immediate patching is not possible, administrators should disable the WSUS Server Role and/or block inbound traffic to ports 8530/8531 at the host firewall. CISA has mandated federal agencies to implement these fixes by November 14, 2025 (CISA Alert).

The vulnerability has garnered significant attention from the cybersecurity community. CISA added CVE-2025-59287 to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing its critical nature. Multiple security firms, including Huntress, Eye Security, and HawkTrace, have published detailed analyses and observed active exploitation attempts (CISA KEV, Bleeping Computer).