A critical Windows Server Update Services (WSUS) vulnerability, tracked as CVE-2025-59287, is now being actively exploited across multiple organizations despite Microsoft’s lack of public acknowledgment. Security teams at Google, Palo Alto Networks, and Trend Micro are all raising the alarm, warning that the flaw’s exploitation is already well underway.
CVE-2025-59287 is being exploited. Microsoft still hasn’t said it is
Microsoft issued a patch for the bug during October’s Patch Tuesday, then quietly pushed an emergency fix last week. But the company still hasn’t updated its advisory to reflect what’s happening on the ground: attackers are using it right now to compromise WSUS servers exposed to the internet.
Google’s Threat Intelligence Group (GTIG) says a newly identified actor, UNC6512, is exploiting the flaw to gain access to internal systems, run recon commands, and exfiltrate sensitive data. Yet Microsoft continues to list the bug as “not publicly disclosed or exploited.”
That stance is growing harder to defend by the hour.
The WSUS bug allows unauthenticated remote code execution
The core issue? Insecure deserialization of untrusted data. Attackers don’t need credentials; they just need access to a vulnerable WSUS server running on TCP ports 8530 (HTTP) or 8531 (HTTPS). Once in, they execute PowerShell commands to probe the system and exfiltrate data using tools like Invoke-WebRequest or fallback methods like curl.exe.
Worse, the initial patch didn’t fully close the hole, creating a dangerous false sense of security. Microsoft’s rushed emergency update came only after threat activity had already begun.
Exploitation is broad and increasing
Trend Micro’s telemetry shows 100,000 exploitation attempts in just the past seven days, with nearly 500,000 internet-facing WSUS servers still potentially exposed.
According to Palo Alto’s Unit 42 team, the attackers seem to be scanning indiscriminately. While only a “limited number” of victims have been confirmed so far, the potential downstream risk is massive, especially if attackers pivot to using WSUS itself to distribute malware across networks.
What makes CVE-2025-59287 so dangerous:
- Unauthenticated RCE
- Easy to exploit with low complexity
- Proof-of-concept exploit available
- Wide attack surface among exposed servers
- Potential for supply chain attacks via WSUS payload delivery
Microsoft’s patching problem strikes again
This isn’t just about one vulnerability. It’s about a wider trust issue with Microsoft’s patch process. Dustin Childs from Trend Micro’s Zero Day Initiative notes that incomplete patches increase enterprise risk by signaling a false fix. Attackers then reverse-engineer the update to find what’s still open and strike faster.
“We need to start holding them accountable,” Childs said. “Not just for breaking functionality, but for patches that don’t fix the vulnerabilities they document.”
For now, it’s patch fast and limit exposure
If you run a WSUS server, your move is clear:
- Patch immediately using the latest emergency update
- Block public access to WSUS ports 8530 and 8531
- Monitor PowerShell activity for suspicious commands
- Review network logs for unexpected outbound traffic
The exploitation is already live. And when it comes to WSUS, the risks don’t stop at one server; they can cascade through every machine it touches.
Patch fast. Audit faster. Silence doesn’t equal safety.
{{user}} {{datetime}}
{{text}}