The National Computer Emergency Response Team (National CERT) has issued a warning about a serious security flaw in Microsoft Windows Server Update Services (WSUS) that is currently being exploited by hackers.
The issue, tracked as CVE-2025-59287, is a remote code execution (RCE) vulnerability that allows attackers to take full control of affected servers. Once exploited, hackers can run any commands on the server, steal data, or install malicious software. Microsoft has already released a special security update to fix the problem.
According to National CERT, the flaw has a severity score of 9.8 out of 10 and is caused by unsafe handling of WSUS authorization cookies. Any Windows Server system that hasn’t been patched and exposes WSUS web connections on ports 8530 (HTTP) or 8531 (HTTPS) is at high risk. Attackers have already been seen using this weakness to spread malware, steal login details, and move through connected networks.
The report warns that this attack is easy to carry out and doesn’t need user interaction or admin privileges. Hackers only need network access to the WSUS service to send harmful web requests and trigger the exploit. System administrators are being advised to check their server and IIS logs for any suspicious commands or unusual web traffic directed at WSUS.
To stay protected, National CERT recommends immediately installing Microsoft’s October 2025 security patch, blocking access to WSUS ports from untrusted networks, and limiting WSUS access to internal, trusted users only. If patching isn’t possible right away, organizations should temporarily disable or isolate vulnerable WSUS servers and monitor their systems closely.
The advisory stresses that since the vulnerability is already being actively used by attackers, IT teams in both government and private sectors should treat this as an urgent priority.
