216.73.217.22

Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated November 3)

· Published 07/12/2025 08:53 · Modified 21/12/2025 18:42

Export JSON

Essential information

Published
07/12/2025 08:53
Modified
21/12/2025 18:42
Tags
2025-12-07 CVE-2025-59287 active exploitation cisa kev catalog patch management rce windows server wsus
Related entities
12 vulnerabilities (cve), 1 observables, 20 techniques (mitre)

Description

A critical vulnerability in Microsoft's Update Services () allows unauthenticated remote code execution with system privileges. Initially patched on October 14, 2025, the flaw required an emergency update on October 23 due to incomplete mitigation. was observed within hours of the patch release. The vulnerability affects 2012 to 2025 with role enabled. Attacks focus on initial access and reconnaissance, targeting exposed instances on ports 8530 and 8531. Attackers execute malicious PowerShell commands to gather network intelligence and exfiltrate data. Approximately 5,500 instances are exposed globally, presenting a significant attack surface for broader network compromise.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Vulnerabilities (CVE) (12)

CVE-2025-52906
9.3 Critical

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in TOTOLINK X6000R allows OS Command Injection.This issue …

Published
24/09/2025
Modified
24/09/2025
Received
CVE-2025-61955
8.5 High

A vulnerability exists in F5OS-A and F5OS-C systems that may allow an authenticated attacker with local access to escalate their privileges. A …

Attack vector
LOCAL
Published
15/10/2025
Modified
21/12/2025
Received
CVE-2025-52907
7.3 High

Improper Input Validation vulnerability in TOTOLINK X6000R allows Command Injection, File Manipulation.This issue affects X6000R: through V9.4.0cu.1360_B20241207.

Published
24/09/2025
Modified
24/09/2025
Received
CVE-2025-52905
7.0 High

Improper Input Validation vulnerability in TOTOLINK X6000R allows Flooding.This issue affects X6000R: through V9.4.0cu.1360_B20241207.

Published
23/09/2025
Modified
24/09/2025
Awaiting Analysis
CVE-2025-53868
8.5 High

When running in Appliance mode, a highly privileged authenticated attacker with access to SCP and SFTP may be able to bypass Appliance …

Attack vector
Network
Published
15/10/2025
Modified
04/02/2026
Received
CVE-2025-59287 KEV
9.8 Critical

Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector
Network
Published
24/10/2025
Modified
21/12/2025
Undergoing Analysis
CVE-2025-57780
8.5 High

A vulnerability exists in F5OS-A and F5OS-C system that may allow an authenticated attacker with local access to escalate their privileges. A …

Attack vector
LOCAL
Published
15/10/2025
Modified
21/12/2025
Received
CVE-2024-36401 KEV
9.8 Critical

OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath …

Attack vector
Network
Published
15/07/2024
Modified
21/12/2025
CVE-2025-55182 KEV
10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector
Network
Published
05/12/2025
Modified
29/05/2026
Analyzed
CVE-2025-66478

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

Published
20/12/2025
Modified
21/12/2025
Rejected
CVE-2025-32433 KEV
10.0 Critical

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may …

Attack vector
Network
Published
09/06/2025
Modified
27/05/2026
Received

Observables (1)

  • http://webhook.site/22b6b8c8-2e07-4878-a681-b772e569aa6a

Techniques (MITRE) (20)

External references