Critical flaw in Windows Update server

A critical, unauthenticated remote code execution flaw in Windows Server Update Services (WSUS) (CVE-2025-59287, CVSS 9.8) impacts a core enterprise patch-management component. Microsoft’s initial Patch Tuesday fix did not fully address the issue, so an out-of-band update was released on Oct 23. Active exploitation was observed within hours, and the next day CISA added the bug to the Known Exploited Vulnerabilities (KEV) catalog, meaning immediate action is required.

Deep-dive and detection guidance: Palo Alto Networks – Unit 42 analysis.

Why this matters

Unauthenticated RCE, meaning attackers can run code with SYSTEM privileges on vulnerable WSUS servers.

Supply-chain impact, WSUS is a trusted update source therefore compromise can enable lateral movement and widespread enterprise impact.

Under active attack, mass scanning and early reconnaissance were observed shortly after disclosure.

Technical details

In short, WSUS can treat some requests as “trusted” and end up executing data it never should. Attackers can abuse two paths:

• Cookie handling (GetCookie): a specially crafted request leads the server to misprocess a cookie and run attacker-controlled code.
• Reporting Web Service: a similar trick coerces the service into performing actions defined by the attacker.

Once exploitation succeeds, command-line processes typically spawn from WSUS or IIS. Attackers recon first, then try to exfiltrate data.

Common process chains:

• wsusservice.exe → cmd.exe → powershell.exe
• w3wp.exe → cmd.exe → powershell.exe

Typical recon commands:

• whoami,
• net user /domain,
• ipconfig /all

Affected systems: Windows Server 2012, 2012 R2, 2016, 2019, 2022 (23H2), 2025. The vulnerability also requires the WSUS Server Role to be enabled (it’s off by default).

Immediate actions (summary)

• Identify WSUS servers: check if the role is enabled (Get-WindowsFeature -Name UpdateServices) and whether TCP 8530/8531 are open.
• Apply the out-of-band update to all affected servers, then reboot.
• Temporary risk reduction (if you can’t patch right now):

  - Disable the WSUS role

  - Block inbound traffic to TCP 8530/8531 at the host firewall

• Access segmentation: WSUS should not be directly exposed to the internet.
• Threat hunting and log analysis: look for suspicious cmd.exe/powershell.exe child processes spawned by wsusservice.exe or IIS w3wp.exe, and investigate unusual outbound connections.

Palo Alto Networks protection

Per the Unit 42 brief, Palo Alto Networks provides multi-layer protection and response:

• Advanced Threat Prevention: with the Advanced Threat Prevention subscription, best-practice policies can block attacks with relevant signatures: 96657 and 96684.
• Cortex XDR and XSIAM: multi-layer defenses against post-exploitation activity.
• Cortex response and playbook (WSUS RCE): automation to speed mitigation, including:

1. Identifies and fingerprints WSUS hosts via XQL

2. Collects indicators from the Unit 42 article

3. Detects suspicious command lines indicative of exploitation

4. Investigates command lines for related malicious indicators

5. Hunts for indicators with XQL

6. Isolates compromised WSUS servers

7. Blocks indicators and recommends mitigations

Related services

If you want to assess your organization’s security posture or respond to a potential incident, our experts can help with the following services:

• Network Audit: Comprehensive security assessment and infrastructure review to uncover hidden weaknesses and recommend risk-reduction measures.
• IT Security Operations: Network monitoring, log analysis, and threat hunting to catch anomalies early and prevent attacks.
• Cyber Insurance: Financial protection and expert support in case of cyberattacks, data loss, or outages minimizing business risk.
• Our Products: Modern security solutions (firewalls, EDR/XDR, email security) to strengthen your organization’s digital defenses.