The Hunter Becomes the Hunted as Wormable WSUS Vulnerability Allows Full Control

Alert essentials:

A recently patched vulnerability in WSUS poses a critical risk to enterprise networks. If successfully exploited, CVE-2025-52987 gives an attacker complete control over the server used to secure systems.

Deploying patches immediately for this potentially wormable weakness that requires no user interaction or credentials.

Detailed threat description:

A critical Remote Code Execution (RCE) vulnerability in the Windows Server Update Service (WSUS) could allow an unauthorized attacker to execute arbitrary code over a network.

Sending a crafted event to a WSUS server can trigger deserialization of untrusted objects, allowing remote code execution without authentication. The vulnerability was assigned a CVSSv3 score of 9.8 and fixed in Microsoft’s October 2025 Patch Tuesday releases.

Researchers also warn that this weakness may be wormable between unpatched versions of WSUS. An attacker compromising a single WSUS server could manipulate update metadata or replicate malicious events, causing other WSUS servers to process the same payload and spread the compromise via WSUS’s replication mechanisms.
CVE-2025-59287 affects all Windows servers running the Microsoft software. On-prem versions of Windows 2012 server through Windows Server 2025 received patches for the legacy serialization tool.

Organizations are strongly advised to prioritize deploying patches due to the critical nature of the vulnerability. At the time of this writing, no proof-of-concept papers have been published, and analysts speculate that the wormability of the possible vulnerability is determined by its topology. The update should be applied through Windows Update or Windows Server Update Services (WSUS).

Fortified Health Security is monitoring this situation and will release updates as they become available.

Impacts on healthcare organizations:

As an unauthenticated remote code execution vulnerability, successful exploitation could allow attackers to execute arbitrary code on affected systems without requiring any authentication. This poses a severe risk for supply-chain attacks through the Windows Update infrastructure.

Affected Products / Versions

• Windows Server 2012 (Server Core installation) x64-based Systems 6.2.9200.0 <2.9200.25722-Tenable plugin #270366
• Windows Server 2012 R2 (Server Core installation) x64-based Systems 6.3.9600.0 <3.9600.22824- Tenable plugin #270367
• Windows Server 2012 R2 x64-based Systems 6.3.9600.0 <3.9600.22824- Tenable plugin #270366- Tenable plugin #270367
• Windows Server 2012 x64-based Systems 6.2.9200.0 <2.9200.25722
• Windows Server 2016 (Server Core installation) x64-based Systems 10.0.14393.0 <0.14393.8519- Tenable plugin #270384
• Windows Server 2016 x64-based Systems 10.0.14393.0 <0.14393.8519- Tenable plugin #270384
• Windows Server 2019 (Server Core installation) x64-based Systems 10.0.17763.0 <0.17763.7919- Tenable plugin #270378
• Windows Server 2019 x64-based Systems 10.0.17763.0 <0.17763.7919- Tenable plugin #270378
• Windows Server 2022 x64-based Systems 10.0.20348.0 <0.20348.4294- Tenable plugin #270390
• Windows Server 2022, 23H2 Edition (Server Core installation) x64-based Systems 10.0.25398.0 <0.25398.1913- Tenable plugin #270390
• Windows Server 2025 (Server Core installation) x64-based Systems 10.0.26100.0 <0.26100.6899- Tenable plugin #270371
• Windows Server 2025 x64-based Systems 10.0.26100.0 <0.26100.6899- Tenable plugin #270371

CVEs

• CVE-2025-59287- CWE-502- CVSS 9.8

KBs

• KB5066875, KB5066873, KB5066863, KB5066782, KB5066586, KB5066780, KB5066835

Recommendations

Engineering recommendations:

• Identify all WSUS servers and their exposure
• Immediately apply patches
• Block external/untrusted access to WSUS management ports via perimeter and host firewalls
• Increase monitoring and retention for WSUS logs and replication events
• Search for indicators of compromise: unexpected package approvals, new content in WSUS directories, or anomalous replication patterns
• Segment WSUS servers from general network segments and restrict replication to authenticated, internal links

Leadership / Program recommendations:

• Document incident response steps and prepare playbooks for similar update‑infrastructure attacks
• Review the update‑infrastructure architecture for single points of trust and consider advanced hardening

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.

References:

• https://nvd.nist.gov/vuln/detail/CVE-2025-59287
• Patch: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
• https://windowsforum.com/threads/urgent-patch-for-cve-2025-59287-wsus-remote-code-execution.384769/