Updated October 29, 2025: CISA has updated this Alert to include revised information on vulnerable product identification, potential threat activity detections, and additional resources.
Microsoft released an update to address a critical remote code execution vulnerability impacting Windows Server Update Service (WSUS) in Windows Server (2012, 2016, 2019, 2022, and 2025), CVE-2025-59287
, that a prior update did not fully mitigate.
CISA strongly urges organizations to implement Microsoft’s updated Windows Server Update Service (WSUS) Remote Code Execution Vulnerability
guidance, 1 or risk an unauthenticated actor achieving remote code execution with system privileges. Immediate actions for organizations with affected products are:
(Updated October 29, 2025):
- Identify servers vulnerable to exploitation (i.e., affected servers with WSUS Server Role enabled and ports open to TCP 8530/TCP 8531) for priority mitigation:
- Run the following command in PowerShell to check if WSUS is in an installed state:
Get-WindowsFeature -Name UpdateServices; and/or - Leverage the Server Manager Dashboard, and check if WSUS enablement is turned on as a Server Role.
- Run the following command in PowerShell to check if WSUS is in an installed state:
- Apply the out-of-band security update released on October 23, 2025, to all servers identified in Step 1. Reboot WSUS server(s) after installation to complete mitigation. If organizations are unable to apply the update immediately, system administrators should disable the WSUS Server Role and/or block inbound traffic to ports TCP 8530/TCP 8531, the default listeners for WSUS, at the host firewall. Of note, do not undo either of these workarounds until your organization has installed the update.
- Apply updates to remaining Windows servers. Reboot servers after installation to complete mitigation.
In addition to checking for endpoint security platform events, CISA recommends that potentially affected organizations investigate signs of threat activity on their networks:
- Monitor and vet suspicious activity and child processes spawned with SYSTEM-level permissions, particularly those originating from
wsusservice.exeand/orw3wp.exe. Keep in mind:- These child processes may represent legitimate activity; and
- Exploitation of CVE-2025-59287 on the target system could involve additional services beyond WSUS parent processes.
- Monitor and vet nested PowerShell processes using base64-encoded PowerShell commands.
(End of Update)
CISA added CVE-2025-59287 to its Known Exploited Vulnerabilities (KEV) Catalog on October 24, 2025.
(Updated October 29, 2025):
See the following resources for additional guidance on this vulnerability:
- Huntress: Exploitation of Windows Server Update Services Remote Code Execution Vulnerability (CVE-2025-59287)
Palo Alto Networks Unit 42: Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild
- (Updated October 28, 2025)
(End of Update)
Disclaimer
Note: CISA may update this Alert to reflect new guidance issued by CISA or other parties.
Organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at contact@cisa.dhs.gov
or (888) 282-0870.
The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.
Notes
- Microsoft.com, Windows Server Update Service (WSUS) Remote Code Execution Vulnerability, accessed October 24, 2025, CVE-2025-59287 - Security Update Guide - Microsoft - Windows Server Update Service (WSUS) Remote Code Execution Vulnerability
