Everybody's warning about critical Windows Server WSUS bug exploits ... but Microsoft's mum

Governments and private security sleuths warned that attackers are already exploiting a critical bug in Microsoft Windows Server Update Services, shortly after Redmond pushed an emergency patch for the remote code execution (RCE) vulnerability.

Plus, there's at least one proof-of-concept attack floating around in cyberspace, and it only takes one specially crafted request to exploit the bug for full system takeover - so we know what Microsoft admins are doing this weekend. 

The vulnerability, tracked as CVE-2025-59287 and serious enough to receive a 9.8 out of 10 CVSS score, affects Windows Server versions 2012 through 2025. It stems from insecure deserialization of untrusted data and allows unauthenticated attackers to execute arbitrary code on vulnerable systems. And servers without the Windows Server Update Services (WSUS) role enabled aren't affected.

Microsoft initially issued a fix for CVE-2025-59287 on October 14 - Patch Tuesday - but it didn't fully patch the security ...