CVE-2025-59287

CVE Database · CVE-2025-59287

CVE-2025-59287

· CRITICALAnalyzed

CVSS v3.1

9.8

EPSS

99.96%

Published

Oct 14, 2025

Modified

Nov 12, 2025

CISA Known Exploited Vulnerability

Added: 2025-10-24 · Due: 2025-11-14

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

Public PoC / Exploit (10)

All weaponized →

NucleiNuclei detection template TrickestTrickest PoC index GitHub PoCM507/CVE-2025-59287-PoC★13 GitHub PoCLuemmelSec/CVE-2025-59287---WSUS-SCCM-RCE★2 GitHub PoCTwodimensionalitylevelcrossing817/CVE-2025-59287★1 GitHub PoCAdel-kaka-dz/cve-2025-59287★1 GitHub PoCgud425/gud425.github.io★0 GitHub PoCsalman5230/CVE-2025-59287★0 GitHub PoCross-ns/WSUS-CVE-2025-59287★0 GitHub PoCswoon69/CVE-2025-59287-Exercise-Use★0

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-502

Affected Products (7)

microsoft · windows_server_2012vulnerable

microsoft · windows_server_2016 (up to 10.0.14393.8524)vulnerable

microsoft · windows_server_2019 (up to 10.0.17763.7922)vulnerable

microsoft · windows_server_2022 (up to 10.0.20348.4297)vulnerable

microsoft · windows_server_2022_23h2 (up to 10.0.25398.1916)vulnerable

microsoft · windows_server_2025 (up to 10.0.26100.6905)vulnerable

References (7)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287

Vendor Advisory

https://hawktrace.com/blog/CVE-2025-59287

ExploitThird Party Advisory

https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-windows-server-wsus-flaw-exploited-in-attacks/

Press/Media Coverage

https://www.vicarius.io/vsociety/posts/cve-2025-59287-detection-script-rce-vulnerability-in-windows-server-update-service

Third Party Advisory

https://www.vicarius.io/vsociety/posts/cve-2025-59287-mitigation-script-rce-vulnerability-in-windows-server-update-service

MitigationThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs