CVE-2025-59287 is a critical remote code execution vulnerability in Microsoft Windows Server Update Service (WSUS) discovered by security researchers MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange of CODE WHITE GmbH. The flaw stems from unsafe deserialization of untrusted AuthorizationCookie objects sent to the GetCookie() endpoint in WSUS. Specifically, encrypted cookie data is decrypted using AES-128-CBC and then deserialized using the BinaryFormatter without proper type validation, enabling attackers to execute arbitrary code with SYSTEM privileges remotely. This vulnerability affects all supported Windows Server versions with WSUS enabled, including Windows Server 2012 through Windows Server 2025 editions. Microsoft initially patched the issue in a recent Patch Tuesday update but had to release an emergency out-of-band update due to active exploitation and the availability of a public proof-of-concept exploit. Attackers exploit this by sending crafted events that trigger deserialization of malicious payloads, often encoded to evade detection, which then execute commands on the server. The exploitation does not require authentication or user interaction, increasing its risk. Microsoft recommends immediate patching and rebooting the affected systems. If patching is delayed, disabling the WSUS server role or blocking inbound WSUS ports (8530 and 8531) can mitigate risk temporarily. The U.S. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, mandating remediation by November 14, 2025. The Dutch National Cyber Security Centre confirmed active exploitation in Europe, highlighting the urgency for organizations to act swiftly. The vulnerability is particularly dangerous because WSUS is widely used for patch management, and compromise could allow attackers to control update processes or deploy further malware.

For European organizations, the impact of CVE-2025-59287 is significant due to WSUS's widespread use in enterprise and government environments for centralized Windows patch management. Successful exploitation allows attackers to execute arbitrary code with SYSTEM privileges remotely, potentially leading to full system compromise, lateral movement, and deployment of ransomware or espionage tools. This could disrupt critical infrastructure, government services, and large enterprises reliant on Windows Server environments. The stealthy nature of the exploit—using crafted headers to hide commands—makes detection difficult, increasing the risk of prolonged undetected intrusions. Organizations that delay patching or fail to implement mitigations risk operational downtime, data breaches, and regulatory penalties under GDPR if personal data is compromised. The vulnerability's exploitation could also undermine trust in patch management infrastructure, complicating future security operations. Given the active exploitation and public availability of proof-of-concept code, the threat landscape is highly volatile, demanding immediate defensive actions.

1. Immediately apply the out-of-band security update released by Microsoft for all supported Windows Server versions with WSUS enabled, followed by a system reboot to ensure patch effectiveness. 2. If patching cannot be performed immediately, disable the WSUS server role on affected servers to eliminate the attack surface. 3. Block inbound traffic on TCP ports 8530 and 8531 at the host firewall or network perimeter to prevent exploitation attempts targeting WSUS. 4. Monitor network traffic and server logs for unusual requests, especially those containing suspicious headers like 'aaaa' or Base64-encoded payloads, which may indicate exploitation attempts. 5. Conduct an immediate audit of WSUS servers for signs of compromise, including unexpected processes or scheduled tasks. 6. Review and harden WSUS configurations, ensuring minimal exposure to untrusted networks and restricting administrative access. 7. Educate IT and security teams about the exploitation techniques and indicators of compromise related to this vulnerability. 8. Plan for rapid deployment of patches in the future by improving patch management workflows and testing procedures to reduce update delays. 9. Consider network segmentation to isolate WSUS servers from general user networks to limit lateral movement if compromised. 10. Follow guidance from national cybersecurity agencies and CISA for additional threat intelligence and remediation support.