A critical vulnerability in Microsoft Windows Server Update Services, tracked as CVE-2025-59287, is currently being exploited, posing significant risks to multiple organizations. According to the Google Threat Intelligence Group, there have been around 100,000 instances of exploitation in just the past week, with the vulnerability allowing unauthenticated attackers to execute arbitrary code on affected systems. Despite the urgency of the situation, Microsoft has not updated its guidance to reflect this active exploitation, leading to concerns among cybersecurity experts. The vulnerability affects Windows Server versions from 2012 to 2025 and stems from insecure deserialization of untrusted data. Experts warn that the potential consequences of these attacks could be catastrophic for downstream victims, particularly for those that have exposed their WSUS instances to the internet. As such, immediate action is recommended to mitigate risks associated with this vulnerability.
Why do we care?
This one’s bad — and it’s live. A new Windows Server Update Services vulnerability is being hammered. It lets attackers run code on your servers, no login needed.
And here’s the kicker — Microsoft hasn’t updated its guidance yet, even though Google says it’s being actively exploited. That’s unacceptable when WSUS is the system pushing updates to every machine you manage. If that gets compromised, you could be distributing malware instead of patches.
So don’t wait. Lock down your WSUS, take it off the internet, check your signatures, and verify your patch workflows. This is one of those moments where “wait for guidance” is the wrong move. Act now — or risk becoming the delivery system for your clients’ next breach.