Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.
The WSUS service incorrectly processes untrusted data during deserialization (CWE-502). An attacker can send a crafted network payload that is deserialized by the vulnerable service without prior authentication. This results in arbitrary code execution in the context of the attacked server.
An unauthenticated attacker can remotely gain full control of the server — access confidential data, modify systems, or disrupt their operation (complete breach of confidentiality, integrity, and availability).
Apply patches available from the vendor according to the references (https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287). CISA mandated immediate patch deployment for U.S. federal agencies. Until updates are applied, it is recommended to restrict network access to WSUS interfaces to trusted hosts only.
Microsoft Windows Server 2012, Windows Server 2016, Windows Server 2022, Windows Server 2022 23H2, Windows Server 2025 — with the Windows Server Update Service (WSUS) role running.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMicrosoft Windows Server 2012
OSMicrosoftr2Microsoft Windows Server 2016
OSMicrosoft< 10.0.14393.8524Microsoft Windows Server 2019
OSMicrosoft< 10.0.17763.7922Microsoft Windows Server 2022
OSMicrosoft< 10.0.20348.4297Microsoft Windows Server 2022 23h2
OSMicrosoft< 10.0.25398.1916Microsoft Windows Server 2025
OSMicrosoft< 10.0.26100.6905
CISA KEV — detailsi
- Vendori
- Microsoft ↗
- Producti
- Windows
- Added to KEVi
- October 24, 2025
- Remediation deadline (US Federal)i
- November 14, 2025(overdue)
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Microsoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.
Related vulnerabilities
A remote code execution vulnerability exists when Hyper-V RemoteFX vGPU on a host server fails to properly val...
A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly ...
A remote code execution vulnerability exists when the Microsoft .NET Framework fails to validate input properl...
Microsoft Windows XP SP3, Windows XP x64 XP2, Windows Server 2003 SP2, Windows Vista, Windows 7 SP1, Windows S...
HTTP.sys in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, and Windows Server 20...