Description
Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.
CISA Known Exploited Vulnerability
Date added 2025-10-24 | Due date 2025-11-14
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Problem types
CWE-502: Deserialization of Untrusted Data
Product status
References
gist.github.com/hawktrace/880b54fb9c07ddb028baaae401bd3951
www.cisa.gov/...erabilities-catalog?field_cve=CVE-2025-59287 (CISA KEV)
www.bleepingcomputer.com/...-wsus-flaw-exploited-in-attacks/
hawktrace.com/blog/CVE-2025-59287
www.vicarius.io/...rability-in-windows-server-update-service
www.vicarius.io/...rability-in-windows-server-update-service
msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287 (Windows Server Update Service (WSUS) Remote Code Execution Vulnerability)
