Microsoft drops surprise Windows Server patch before weekend downtime

Microsoft has released an out-of-band update to patch a critical vulnerability in Windows Server Update Services (WSUS).

The update addresses CVE-2025-59287">CVE-2025-59287, a remote code execution flaw affecting Windows Server versions 2012 through 2025. The vulnerability stems from insecure deserialization of untrusted data, allowing unauthenticated attackers to execute arbitrary code. A proof-of-concept exploit is publicly available.

The vulnerability has been assigned a maximum severity level of "critical". Only servers with the WSUS role enabled are affected.

Microsoft recommends admins unable to immediately patch should disable the role on affected servers - although this will obviously prevent client updates from the server. Or they can choose to block inbound traffic to ports 8530 and 8531 on the host firewall to stop WSUS working.

The update is cumulative and includes October's patches if not yet installed. A reboot is required.

Windows is chock-full of legacy code waiting to be abused by attackers ...