9.8
CVE-2025-59287
- EPSS 99.96%
- Veröffentlicht 14.10.2025 17:01:47
- Zuletzt bearbeitet 12.11.2025 14:33:19
- Quelle secure@microsoft.com
- CVE-Watchlists
- Unerledigt
Windows Server Update Service (WSUS) Remote Code Execution Vulnerability
Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Microsoft ≫ Windows Server 2012 Version-
Microsoft ≫ Windows Server 2012 Versionr2
Microsoft ≫ Windows Server 2016 Version < 10.0.14393.8524
Microsoft ≫ Windows Server 2019 Version < 10.0.17763.7922
Microsoft ≫ Windows Server 2022 Version < 10.0.20348.4297
Microsoft ≫ Windows Server 2022 23h2 Version < 10.0.25398.1916
Microsoft ≫ Windows Server 2025 Version < 10.0.26100.6905
VulnDex Vulnerability Enrichment
24.10.2025: CISA Known Exploited Vulnerabilities (KEV) Catalog
Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability
SchwachstelleMicrosoft Windows Server Update Service (WSUS) contains a deserialization of untrusted data vulnerability that allows for remote code execution.
BeschreibungApply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Erforderliche Maßnahmen| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 99.96% | 1 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| secure@microsoft.com | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
CWE-502 Deserialization of Untrusted Data
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
https://gist.github.com/hawktrace/880b54fb9c07ddb028baaae401bd3951
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-59287
https://hawktrace.com/blog/CVE-2025-59287
https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-windows-server-wsus-flaw-exploited-in-attacks/
https://www.vicarius.io/vsociety/posts/cve-2025-59287-detection-script-rce-vulnerability-in-windows-server-update-service
https://www.vicarius.io/vsociety/posts/cve-2025-59287-mitigation-script-rce-vulnerability-in-windows-server-update-service