Security Advisory: Critical Unauthenticated RCE in Windows Server Update Services (WSUS) - CVE-2025-59287
Ctrl-Alt-DECODE is a newsletter for security practitioners and anyone interested in learning about the latest developments in the field. Our goal is to provide a dedicated resource for relevant, technical, and actionable threat intelligence, focused on our own original research rather than rehashing existing news.
Our telemetry indicates an active exploitation campaign targeting vulnerable Windows Server Update Services (WSUS) systems via CVE-2025-59287 (CVSS 9.8 – Critical).
The only primary requirement for exploitation is network accessibility to the WSUS instance, which is most commonly exposed on ports 8530 (HTTP) or 8531 (HTTPS).
Successful exploitation allows an unauthenticated, remote attacker to execute arbitrary code with the privileges of the compromised service process. This access is frequently used to deploy a persistent entry point, such as a webshell, which allows for interactive remote control.
This automated initial access is characteristic of a 'pre-ransomware' campaign, intended to secure a foothold before a secondary, human-operated hacking phase (hands-on-keyboard) begins. Immediate patching is required. Security teams should prioritize blocking the malicious infrastructure and sweeping systems for the documented TTPs.
📅 On October 30, we invite you to join our LinkedIn Live discussion, where our experts will provide a full breakdown of this vulnerability and answer your questions.
Thank you for reading our newsletter, designed to provide you with exclusive threat intelligence, original research, and actionable advisories directly from Bitdefender Labs and MDR. We want to be clear that this is not a sales or marketing publication; it is a resource dedicated to providing only relevant, technical, and actionable threat intelligence. We invite you to subscribe, share this newsletter with your network, and tell us how we're doing at ✉️ decode@bitdefender.com.