A critical remote code execution (RCE) vulnerability in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287, is being actively exploited in the wild. Information regarding the active exploitation was updated on November 3.

The vulnerability exists within WSUS, a Microsoft server role that enables administrators to manage the distribution of updates and hotfixes for Microsoft products to computers in a corporate environment. The classification of CVE-2025-59287 as a remote code execution flaw signifies that it permits an attacker to execute arbitrary code on a targeted server without prior authentication.

CVE-2025-59287 Vulnerability Details

The specific flaw identified as CVE-2025-59287 affects the core functionality of Windows Server Update Services. As an RCE, a successful exploit of this vulnerability results in the unauthorized execution of attacker-controlled commands on the underlying server system that is running the WSUS role. This provides a direct path to system compromise. Given the central role of WSUS servers in network management and software deployment, their compromise has significant implications for network integrity.

Active Exploitation in the Wild

Security researchers have confirmed that threat actors are leveraging CVE-2025-59287 in active attack campaigns. The confirmation of in-the-wild exploitation indicates that unpatched systems are at immediate risk. The update provided on November 3 underscores the ongoing and current nature of the threat activity associated with this vulnerability. Administrators of networks utilizing Microsoft WSUS are urged to review official advisories from Microsoft for patch information and mitigation guidance.