CVE-2025-59287

Меры по смягчению последствий

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

The WSUS Server Role is not enabled by default on Windows servers. Windows servers that do not have the WSUS server role enabled are not vulnerable to this vulnerability. If the WSUS server role is enabled, the server will become vulnerable if the fix is not installed before the WSUS server role is enabled.

Обходное решение

The following workarounds might be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave either of these workarounds in place:

If you are unable to install the October 23, 2025 out-of-band update, you can take any of the following actions to be protected against this vulnerability:

• If the WSUS Server Role is enabled on your server, disable it. Note that clients will no longer receive updates from the server if WSUS is disabled.
• Block inbound traffic to Ports 8530 and 8531 on the host firewall (as opposed to blocking only at the network/perimeter firewall) to render WSUS non-operational.

Important: Do NOT undo either of these workarounds until after you have installed the update.

FAQ

How could an attacker exploit this vulnerability?

A remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism, resulting in remote code execution.

What actions do I need to take to be protected from this vulnerability?

To fully address this vulnerability:

• Windows Server customers should install the out-of-band update released on October 23, 2025.
• Windows Servers enrolled into the hotpatch program should install the out-of-band standalone security update released on October 24, 2025.

If you cannot install the update immediately see the Workaround section for actions you can take to be protected.

Will the out-of-band update released on October 23, 2025 require a Windows server reboot?

Yes. After you install the update you will need to reboot your system.

Will the out-of-band standalone security updates released on October 24, 2025 for Windows Servers enrolled into the hotpatch program require a reboot

Yes. A reboot will be required only on servers that have WSUS enabled. This update will not reset the previous baseline.

How I do get the October 23, 2025 out of band security update?

The update is available through the following channels:

• For customers who automatically install updates, this update will be downloaded and installed automatically from Windows Update and Microsoft Update.

• The standalone package for this update is available on the Microsoft Update Catalog website.

• This update will automatically sync with Windows Server Update Services (WSUS).

How do I get the October 24, 2025 out-of-band standalone security update for Windows Servers enrolled into the hotpatch program?

Windows Server 2022:

• For customers who automatically install updates, this update will be downloaded and installed automatically from Windows Update.

• This update will automatically sync with Windows Server Update Services (WSUS).

Windows Server 2025:

• For customers who automatically install updates, this update will be downloaded and installed automatically from Windows Update only.

Why did the Temporal CVSS score change?

Microsoft has updated the Exploit Code Maturity metric of the CVSS Temporal score from Unproven (U) to Proof-of-Concept (P) after confirming the availability of publicly disclosed PoC code for this CVE.

Will an updated Windows Update offline scan file, Wsusscn2.cab, with this new security update be available?

Yes. An updates scan file will be available at the time of, or shortly after, the release.