Overview
- Microsoft released out-of-band updates for all supported Windows Server versions after determining the original Patch Tuesday fix for CVE-2025-59287 was incomplete, and systems require a reboot after installation.
- CISA added the flaw to its Known Exploited Vulnerabilities catalog and issued a directive giving federal agencies two weeks to patch, signaling urgent risk for public and private sectors.
- The vulnerability is an unsafe deserialization bug in WSUS AuthorizationCookie handling that enables unauthenticated remote code execution as SYSTEM and is potentially wormable between WSUS servers.
- National and private teams reported exploitation on October 24, including NCSC-NL confirmation and observations from Eye Security and Huntress, following the release of public proof-of-concept code.
- Administrators unable to patch immediately are advised to disable the WSUS role or block ports 8530 and 8531, a step that halts local update distribution as security firms report thousands of WSUS servers exposed online.