Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated November 3)

Description

A critical vulnerability in Microsoft's Windows Server Update Services (WSUS) allows unauthenticated remote code execution with system privileges. Initially patched on October 14, 2025, the flaw required an emergency update on October 23 due to incomplete mitigation. Active exploitation was observed within hours of the patch release. The vulnerability affects Windows Server 2012 to 2025 with WSUS role enabled. Attacks focus on initial access and reconnaissance, targeting exposed WSUS instances on ports 8530 and 8531. Attackers execute malicious PowerShell commands to gather network intelligence and exfiltrate data. Approximately 5,500 WSUS instances are exposed globally, presenting a significant attack surface for broader network compromise.