CVE-2025-59287

Analyzed

Published: 14 Oct 2025, 17:16

Last modified:12 Nov 2025, 14:33

Vulnerability Summary

Overall Risk

Critical Risk

92/100

AI Analysis

Emergency

Requires Immediate Action

AI Detection

Active in Wild

Exploitation Detected

CVSS Score

9.8 CRITICAL

CVSS v3.1 (MICROSOFT)

EPSS Score

11.25% CRITICAL

11% probability +3.64%

CISA KEV

Listed

Microsoft

Ransomware

Known Use

Exploits

1 found

Dark Web

Activity detected

Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

Source Identifier: secure@microsoft.com

CVSS	Source	Severity	Exploit.	Impact	Vector
v4.0	n/a
v3.1	Primarysecure@microsoft.com	9.8 CRITICAL	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/U...
v3.0	n/a
v2.0	n/a

64.04%

Current Score

+3.64%

98%ile

Percentile Rank

+0.15%

Loading chart...

Deserialization of Untrusted Data CWE-502

Description:The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.

Vulnerability Name:Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability

Added to CISA Catalog:24 Oct 2025, 00:00

Action Due:14 Nov 2025, 00:00

Known Ransomware: Ransomware

Required Action:Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Telegram Activity Detected

This vulnerability has been mentioned in monitored Telegram channels, indicating potential threat actor interest.

metasploit

Windows

exploitVerified

Authors: mwulftange, msutovsky-r7

Published: 14 Oct 2025, 00:00

Updated: 10 Nov 2025, 18:32

This module exploits deserialization vulnerability in legacy serialization mechanism in Windows Server Update Services (WSUS). The vulnerability allows unauthenticated attacker to create specially crafted event, which triggers unsafe deserialization upon server synchronization. The module does not require any other options and upon successful exploitation, the payload is executed in context of administrator.

ATT&CK-T1190code-white.com/blog/wsus-cve-2025-59287-analysis/CVE-2025-59287

Affected Configurations (CPE)

microsoft windows_server_2012Vulnerable

Version: -

cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*

microsoft windows_server_2012Vulnerable

Version: r2

cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*

microsoft windows_server_2016Vulnerable

Version: *

cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*

microsoft windows_server_2019Vulnerable

Version: *

cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*

microsoft windows_server_2022Vulnerable

Version: *

cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*

microsoft windows_server_2022_23h2Vulnerable

Version: *

cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*

microsoft windows_server_2025Vulnerable

Version: *

cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*

URL	Tags	Source
https://gist.github.com/hawktrace/880b54fb9c07ddb028baaae401bd3951	-	134c704f-9b21-4f2e-91b3-4a467353bcc0
https://gist.github.com/hawktrace/880b54fb9c07ddb028baaae401bd3951	third party advisory	134c704f-9b21-4f2e-91b3-4a467353bcc0
https://hawktrace.com/blog/CVE-2025-59287	-	af854a3a-2127-422b-91ae-364da2661108
https://hawktrace.com/blog/CVE-2025-59287	exploitthird party advisory	af854a3a-2127-422b-91ae-364da2661108
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287	-	secure@microsoft.com
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287	vendor advisory	secure@microsoft.com
https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-windows-server-wsus-flaw-exploited-in-attacks/	-	af854a3a-2127-422b-91ae-364da2661108
https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-windows-server-wsus-flaw-exploited-in-attacks/	press/media coverage	af854a3a-2127-422b-91ae-364da2661108
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59287	-	134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59287	third party advisoryus government resource	134c704f-9b21-4f2e-91b3-4a467353bcc0
https://www.vicarius.io/vsociety/posts/cve-2025-59287-detection-script-rce-vulnerability-in-windows-server-update-service	-	af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-59287-detection-script-rce-vulnerability-in-windows-server-update-service	third party advisory	af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-59287-mitigation-script-rce-vulnerability-in-windows-server-update-service	-	af854a3a-2127-422b-91ae-364da2661108
https://www.vicarius.io/vsociety/posts/cve-2025-59287-mitigation-script-rce-vulnerability-in-windows-server-update-service	mitigationthird party advisory	af854a3a-2127-422b-91ae-364da2661108