CVE-2025-59287 - Microsoft WSUS Remote Code Execution

CVE-2025-59287 - Microsoft WSUS Remote Code Execution

Vulnerability Overview

• Vulnerability Name: Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability
• CVE ID: CVE-2025-59287
• CVSS Score: 9.8 (Critical)

An unauthenticated remote code execution (RCE) vulnerability has been identified in Microsoft Windows Server Update Services (WSUS).
Source: Unit42 - Palo Alto Networks

Mitigation and Recommendations

• Apply Patch
• Restrict Access to the vulnerable serves
• Monitor for IoCs and suspicious traffic

Conclusion

CVE‑2025‑59287 is a critical, remotely exploitable vulnerability in WSUS that allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges.

View official CVE details on NIST

Playbook Triggers

• Manually

Playbook Flow

1. Uses XQL to identify WSUS servers in your environment.
2. Collects IOCs from the Unit42 blog.
3. Uses XQL to detect any suspicious command lines indicative of exploitation of this vulnerability.
4. Investigates the command lines to identify malicious indicators related to the vulnerability.
5. Uses XQL to hunt for malicious IOCs.
6. Isolates compromised WSUS servers.
7. Blocks malicious indicators using the "Block Indicators - Generic v3" playbook.
8. Provides mitigation recommendations.