Pakistan’s National Computer Emergency Response Team (PKCERT or National CERT) has issued a critical security advisory warning all public and private sector organizations of a remote code execution (RCE) vulnerability in Microsoft Windows Server Update Services (WSUS), which is being actively exploited in the wild.
The flaw, tracked as CVE-2025-59287, carries a CVSS score of 9.8 (Critical) and allows unauthenticated attackers to execute arbitrary commands on vulnerable servers via unsafe deserialization of the WSUS Authorization Cookie. The exploit can lead to complete system compromise, enabling attackers to deploy malware, steal credentials, and exfiltrate sensitive enterprise or government data.
According to the advisory (NCA-51.031125), attackers are already exploiting the flaw to conduct reconnaissance, lateral movement, and data theft across compromised WSUS environments. Given WSUS’s central role in managing Windows updates across large IT networks, the vulnerability poses a serious national cybersecurity risk.
All unpatched Windows Server instances running WSUS and exposing endpoints on TCP ports 8530 (HTTP) or 8531 (HTTPS) are vulnerable. Particularly at risk are networks with WSUS servers connected to public or unsegmented management networks, or those running outdated Windows Server versions.
PKCERT has urged all organizations to immediately apply Microsoft’s October 2025 out-of-band patch, available through the Microsoft Security Update Guide.
In cases where patching is not immediately possible, CERT recommends blocking inbound access on ports 8530 and 8531, restricting WSUS web endpoints to trusted management subnets, and closely monitoring for unusual PowerShell or cmd.exe executions linked to WSUS services.The vulnerability is under active attack globally, with reports of threat actors leveraging the flaw to gain control of WSUS servers, install remote access malware, and steal domain credentials. Organizations are advised to inspect WSUS and IIS logs for suspicious POST requests, unauthorized process creation, and unexpected access to wsusservice.exe or w3wp.exe. Any signs of compromise should trigger immediate incident response and forensic investigation.
“Given WSUS’s critical role in enterprise patch management, exploitation of this flaw can have cascading effects across entire networks,” the National CERT warned, urging organizations to treat the issue with top priority.