Critical RCE in Windows Server: Are You Distributing Patches or Malware?
The CrowdSec Network has detected a wave of exploitation attempts targeting CVE-2025-59287, a critical Remote Code Execution (RCE) vulnerability in Windows Server Update Services (WSUS).
Key findings
- Vulnerability released: October 14, 2025.
- First detected by CrowdSec: December 18, 2025.
- Exploitation volume: 1,020 signals observed over 32 days, averaging ~32 daily attempts.
- Trend: Exploitation peaked at 52 signals/day but is showing a gradual decrease week-over-week.
- Attack style: Most attacks involve focused reconnaissance to identify vulnerable WSUS configurations.
What is Windows Server Update Services (WSUS)?
Windows Server Update Services (WSUS) is a tool used by IT administrators and System Engineers to manage and distribute software updates linked to Microsoft products. It acts as a central hub in enterprise environments, allowing organizations to control which updates are deployed to servers and workstations.
Why it matters: WSUS servers are critical infrastructure components. A compromised WSUS server is a “keys to the kingdom” asset; attackers can potentially use it to distribute malicious “updates” to all connected clients, leading to a massive, network-wide compromise.
About CVE-2025-59287
CVE-2025-59287 is a critical Insecure Deserialization vulnerability (CVSS 9.8). It allows an unauthenticated attacker to execute arbitrary code on the WSUS server by sending crafted SOAP/XML requests to specific API endpoints (like /ReportingWebService/ReportingWebService.asmx).
Essentially, the server processes untrusted data without validating it, tricking the system into running malicious commands. This can happen over the network, making it a dangerous vector for initial access and lateral movement.
For more technical details, see the HawkTrace analysis and Microsoft’s advisory.
Trend analysis
CrowdSec data indicates that while this vulnerability is critical, exploitation attempts are currently trending downwards. The activity observed suggests that threat actors are conducting “focused reconnaissance”, scanning potential targets rather than spraying the entire internet. The peak occurred earlier in the observation window, and the recent decline may signal successful patching campaigns or attackers shifting focus.
However, Crowdsec CTI reports 130 IPs attempting to exploit this vulnerability in real-world environments, with more than 70% being labeled as malicious and reported for other web vulnerabilities exploitation. This suggests that attackers are still active and trying to access vulnerable infrastructure.
How to protect your systems
- Patch Immediately: Ensure your Windows Servers are updated with the October 2025 security updates (or later). This is the primary defense.
- Preemptive Blocking: Use CrowdSec to automatically identify and block IP addresses engaging in this exploitation behavior. The CrowdSec community blocklist provides real-time protection against these identified threats.