virus logo Threat Signal Report

Microsoft Windows Server Update Service Remote Code Execution Vulnerability

What is the Vulnerability?

CVE-2025-59287 is a critical unauthenticated remote code execution (RCE) vulnerability affecting Windows Server Update Services (WSUS). The flaw stems from unsafe deserialization of untrusted data, allowing attackers to execute arbitrary code on vulnerable servers without authentication.

A public proof-of-concept exploit has been released, and CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, emphasizing active exploitation in the wild.

Organizations should prioritize immediate patching or isolation of any internet-facing or exposed WSUS servers to prevent compromise.

What is the recommended Mitigation?

The vulnerability impacts Windows Server installations with the WSUS role enabled, including Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025.

  • Apply Microsoft’s out-of-band security update released on October 23, 2025 (referenced in Microsoft’s official advisory and KB documentation).

  • Restrict network access to WSUS servers, ensuring they are not exposed to untrusted or external networks.

  • Review system logs for unusual activity or unauthorized WSUS access attempts.

What FortiGuard Coverage is available?

  • FortiGuard IPS Service detects and blocks exploit attempts targeting CVE-2025-59287. Intrusion Prevention | FortiGuard Labs

  • FortiGuard Endpoint Vulnerability Service provides a systematic and automated method of patching applications on an endpoint, eliminating manual processes while reducing the attack surface. Endpoint Vulnerability | FortiGuard Labs

  • The FortiGuard Incident Response team can be engaged to help with any suspected compromise.

description-logoOutbreak Alert

This report provides an overview of ongoing Iran-linked cyber operations, highlighting activity attributed to state-aligned proxies and hacktivist groups. The vulnerabilities listed are suspected to be exploited by actors associated with Iran in real-world campaigns, consistent with observed tactics, techniques, and procedures (TTPs). Iran-linked operations continue to rely on distributed, lower-complexity techniques, including phishing, DDoS, data exfiltration, and destructive attacks. Initial access is primarily achieved through exploitation of known, unpatched vulnerabilities and exposed edge infrastructure, reflecting a persistent and opportunistic threat posture targeting government, critical infrastructure, and enterprise environments.

View the full Outbreak Alert Report

Additional Resources

Microsoft Update Guide


Released Date Nov 03, 2025
Tags Iran-linked Cyber Attacks Threat Signal Vulnerability
CVE ID

Experienced a Breach? We're here to help

FortiGuard Incident Response Services
FortiGuard Incident Response Services
Outbreak Alert Outbreak Alert
About FortiGuard Threat Signal

Learn More »