⚠ Actively exploited
Added to CISA KEV on 2025-10-24. Federal agencies required to patch by 2025-11-14. Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable..

CVE-2025-59287Deserialization of Untrusted Data in Microsoft Windows Server 2012

CWE-502Deserialization of Untrusted Data20 documents13 sources
Severity
9.8CRITICALNVD
EPSS
75.7%
top 1.09%
CISA KEV
KEV
Added 2025-10-24
Due 2025-11-14
Exploit
PoC available
Public exploit / PoC exists
Affected products
7
Microsoft Windows Server 2012Microsoft Windows Server 2012 R2Microsoft Windows Server 2016+4 more
Timeline
PublishedOct 14
KEV addedOct 24
KEV dueNov 14
Latest updateNov 20
CISA Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Description

Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages7 packages

CVEListV5microsoft/windows_server_20126.2.9200.06.2.9200.25728
CVEListV5microsoft/windows_server_201610.0.14393.010.0.14393.8524
CVEListV5microsoft/windows_server_201910.0.17763.010.0.17763.7922
CVEListV5microsoft/windows_server_202210.0.20348.010.0.20348.4297
CVEListV5microsoft/windows_server_202510.0.26100.010.0.26100.6905

🔴Vulnerability Details

3
CVEList
Windows Server Update Service (WSUS) Remote Code Execution Vulnerability2025-10-14
GHSA
GHSA-943j-4893-6rfq: Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network2025-10-14
VulnCheck
Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability2025

💥Exploits & PoCs

1
Nuclei
Windows Server Update Service - Insecure Deserialization

🔍Detection Rules

1
Suricata
ET WEB_SERVER Microsoft Windows Server Update Services (WSUS) Unauthenticated Remote Code Execution via Insecure Deserialization (CVE-2025-59287)2025-10-24

📋Vendor Advisories

2
CISA
Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability2025-10-24
Microsoft
Windows Server Update Service (WSUS) Remote Code Execution Vulnerability2025-10-14

🕵️Threat Intelligence

7
Huntress
Velociraptor WSUS Exploitation, Pt. I: WSUS-Up?2025-11-20
Unit42
Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated November 3)2025-11-03
Bleepingcomputer
Microsoft: Patch for WSUS flaw disabled Windows Server hotpatching2025-11-03
Unit42
Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild (Updated November 3)2025-11-03
Bleepingcomputer
CISA orders feds to patch Windows Server WSUS flaw used in attacks2025-10-27
CVE-2025-59287 — Deserialization of Untrusted Data | cvebase