Microsoft Fixes Critical WSUS Vulnerability in Windows Server

Microsoft has issued an out-of-band update for Windows Server to fix a critical remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS). The flaw, tracked as CVE-2025-59287, poses a significant threat to organizations relying on WSUS for managing updates across enterprise networks.

Critical WSUS vulnerability puts Windows Servers at risk

According to Microsoft, the vulnerability stems from improper handling of update metadata or insecure WSUS configurations, which could allow remote attackers to inject malicious content into the update process. Once exploited, this could grant attackers full control of the affected server, potentially leading to widespread compromise across connected systems.

“Windows servers that do not have the WSUS server role enabled are not vulnerable to this vulnerability. If the WSUS server role is enabled, the server will become vulnerable if the fix is not installed before the WSUS server role is enabled,” Microsoft explained. “A remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism, resulting in remote code execution.”

Microsoft has rolled out emergency updates to address this issue on Windows Server 2025, Windows Server version 23H2, Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, and Windows Server 2012. Administrators are urged to apply these patches immediately and review WSUS configurations to ensure secure deployment practices.

Temporary workarounds for unpatched systems

For those unable to patch right away, Microsoft suggests temporary workarounds such as disabling the WSUS Server Role or blocking inbound traffic to ports 8530 and 8531 via the firewall. However, these methods block WSUS functionality, which prevents update delivery to endpoints and potentially exposes systems to other risks if not managed properly. Additionally, Microsoft has temporarily disabled WSUS sync error details in the latest updates as part of its ongoing mitigation efforts for the CVE-2025-59287 vulnerability.

WSUS (Windows Server Update Services) has been marked as deprecated in Windows Server, and Microsoft is no longer actively developing new features and capabilities. Microsoft encourages IT administrators to move away from WSUS and adopt more modern, cloud-based solutions like Microsoft Intune.