CISA issues alert after botched Windows Server patch exposes critical flaw

CISA issues alert after botched Windows Server patch exposes critical flaw

Briefly

"The vulnerability, tracked as CVE-2025-59287, affects Windows Server Update Service (WSUS) in Windows Server (2012, 2016, 2019, 2022, and 2025). WSUS is a component of the Windows Server operating system that is designed to simplify the management and distribution of Microsoft product updates and patches. Instead of each PC handling this individually, WSUS downloads the updates and stores them, and then distributes them to all computers on the network. However, a recent vulnerability allowed for insecure deserialization of untrusted data, which security experts have warned allows unauthenticated attackers to execute arbitrary code."

""CVE-2025-59287 is a critical RCE vulnerability in Microsoft Windows Server Update Services (WSUS), caused by unsafe deserialization of AuthorizationCookie data through BinaryFormatter in the EncryptionHelper.DecryptData() method," Hawktrace. "The vulnerability allows an unauthenticated attacker to achieve remote code execution with SYSTEM privileges by sending malicious encrypted cookies to the GetCookie() endpoint.""

""A few days after the public release of the CVE and the blog by HawkTrace, we are now observing active & successful exploitation targeting Windows Server Update Services (WSUS) world-wide, including our customer base," the firm said. "Our telemetry shows scanning and exploitation attempts from 207.180.254[.]242,and our scans reveal roughly 2,500 WSUS servers still exposed world-wide, including about 100 in the Netherlands and 250 in Germany.""