A serious vulnerability in Windows Server Update Service (WSUS) is being exploited by attackers, allowing them to execute malicious code with system privileges. The vulnerability, tracked as CVE-2025-59287, affects only Windows servers with the WSUS role enabled and can be exploited remotely without user interaction.
Microsoft has released out-of-band security updates for affected versions of Windows Server to address this flaw. IT administrators are advised to install these patches as soon as possible. In the meantime, workarounds such as disabling the WSUS Server role on vulnerable systems can help remove the attack vector.
Cybersecurity firms have observed multiple instances of CVE-2025-59287 exploitation, including a Dutch firm that reported scanning and exploitation attempts and an American company finding evidence of attacks targeting exposed WSUS ports. While Microsoft has not yet confirmed active exploitation, it has classified the vulnerability as “Exploitation More Likely.”
The Netherlands National Cyber Security Centre (NCSC-NL) has warned admins about the increased risk due to the availability of proof-of-concept exploit code. Microsoft’s advisory for affected versions includes:
* Windows Server 2025 (KB5070881)
* Windows Server, version 23H2 (KB5070879)
* Windows Server 2022 (KB5070884)
* Windows Server 2019 (KB5070883)
* Windows Server 2016 (KB5070882)
* Windows Server 2012 R2 (KB5070886)
* Windows Server 2012 (KB5070887)
Affected organizations are urged to install the latest security updates and follow recommended workarounds to mitigate this vulnerability.
Source: https://www.bleepingcomputer.com/news/security/hackers-now-exploiting-critical-windows-server-wsus-flaw-in-attacks