On October 29, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) released updated guidance for organizations to detect and mitigate threats related to the CVE-2025-59287 vulnerability in Microsoft’s Windows Server Update Services (WSUS).
CISA strongly urges organizations to implement Microsoft’s updated Windows Server Update Service (WSUS) Remote Code Execution Vulnerability guidance or risk an unauthenticated actor achieving remote code execution with system privileges. Immediate actions for organizations with affected products are:
- Identify servers vulnerable to exploitation (i.e., affected servers with WSUS Server Role enabled and ports open to TCP 8530/TCP 8531) for priority mitigation:
a. Run the following command in PowerShell to check if WSUS is in an installed state: Get-WindowsFeature -Name UpdateServices; and/or
b. Leverage the Server Manager Dashboard, and check if WSUS enablement is turned on as a Server Role.
2. Apply the out-of-band security update released on October 23, 2025, to all servers identified in Step 1. Reboot WSUS server(s) after installation to complete mitigation. If organizations are unable to apply the update immediately, system administrators should disable the WSUS Server Role and/or block inbound traffic to ports TCP 8530/TCP 8531, the default listeners for WSUS, at the host firewall. Of note, do not undo either of these workarounds until your organization has installed the update.
3. Apply updates to remaining Windows servers. Reboot servers after installation to complete mitigation.
In addition to checking for endpoint security platform events, CISA recommends that potentially affected organizations investigate signs of threat activity on their networks:
Monitor and vet suspicious activity and child processes spawned with SYSTEM-level permissions, particularly those originating from wsusservice.exe and/or w3wp.exe.
These child processes may represent legitimate activity; and
Exploitation of CVE-2025-59287 on the target system could involve additional services beyond WSUS parent processes.
Monitor and vet nested PowerShell processes using base64-encoded PowerShell commands.
CISA added CVE-2025-59287 to its Known Exploited Vulnerabilities (KEV) Catalog on October 24, 2025. Organizations must prioritize identifying vulnerable servers using PowerShell commands like Get-WindowsFeature -Name UpdateServices or the Server Manager Dashboard to confirm WSUS enablement.
InfoSecBulletin Cybersecurity for mankind
