Overview
- Out-of-band cumulative updates are available for all supported Windows Server releases and require a reboot, with Microsoft urging immediate installation in place of the October Patch Tuesday fixes.
- CVE-2025-59287 enables unauthenticated remote code execution via unsafe deserialization in a legacy BinaryFormatter path that processes AuthorizationCookie data, granting SYSTEM privileges and potential worm-like spread between WSUS servers.
- The Dutch NCSC confirmed exploitation on October 24 after Eye Security observed scanning and at least one compromise, with researchers identifying roughly 2,500 internet-reachable WSUS instances, including clusters in Germany and the Netherlands.
- For organizations unable to patch at once, Microsoft advises disabling the WSUS role or blocking inbound ports 8530 and 8531 on the host firewall, which halts local update distribution until remediation is completed.
- Only servers with the WSUS role are vulnerable, and CISA has added the flaw to its Known Exploited Vulnerabilities catalog as security firms report active targeting.