Attackers are actively exploiting a critical vulnerability in Windows Server Update Services, bypassing a patch Microsoft issued earlier this month that failed to mitigate the issue affecting software versions dating back to 2012.
Microsoft released an emergency, out-of-band security update for CVE-2025-59287 on Thursday. Multiple research firms detected in-the-wild exploitation by Friday, yet Microsoft has yet to confirm exploitation occurred as of this article’s publication.
The reinvigorated risk posed by a previously disclosed and addressed vulnerability underscores how quickly defenders and attackers amass resources in tight windows. Researchers observed proof-of-concept exploits and active exploitation within hours of Microsoft’s emergency patch release.
This vulnerability shows how simple and trivial exploitation is once an attack script is publicly available, John Hammond, principal security researcher at Huntress, told CyberScoop. “It’s always an attack of opportunity — just kind of spray-and-pray, and see whatever access a criminal can get their hands on.”
The Cybersecurity and Infrastructure Security Agency added the remote-code execution defect to its known exploited vulnerabilities catalog Friday and issued an alert urging organizations to apply the patch and follow Microsoft’s mitigation guidance.
“We re-released this CVE after identifying that the initial update did not fully mitigate the issue. Customers who have installed the latest updates are already protected,” a Microsoft spokesperson said in a statement. The vendor did not say when nor how it determined the previous patch could be bypassed.
The number of organizations already impacted or potentially exposed to attacks remains under investigation, but Shadowserver said it found more than 2,800 instances of Windows Server Update Services with ports 8530 and 8531 exposed to the internet — a requirement for exploitation. About 28% of those exposed instances were based in the United States as of Friday.
“Exploitation of this flaw is indiscriminate. If an unpatched Windows Server Update Services instance is online, at this stage it has likely already been compromised,” Ben Harris, founder and CEO at watchTowr, said in an email. “This isn’t limited to low-risk environments — some of the affected entities are exactly the types of targets attackers prioritize.”
Huntress has observed five active attacks linked to CVE-2025-59287. Hammond said Huntress has only observed the beginning stages of exploitation, including a network administrator command to get a lay of the land, enumerate the environment and exfiltrate that information to an outside location. “There has not been any more malicious impact from that,” he said.
Windows Server Update Services runs one of the highest privileges in a Windows server environment, so attackers that exploit CVE-2025-59287 “owned that machine that is fully compromised,” Hammond said.
The risk of compromise could extend to “some potential supply-chain shenanigans just opening the door with this opportunity,” he added. Attackers could push downstream updates to other connected hosts or computers that are waiting to receive new configurations or changes from that central server, according to Hammond.
Palo Alto Networks’ Unit 42 incident response team concurred with that assessment. “By compromising this single server, an attacker can take over the entire patch distribution system,” Justin Moore, senior manager of threat intel research at Unit 42, said in an email.
“With no authentication, they can gain system-level control and execute a devastating internal supply chain attack,” Moore added. “They can push malware to every workstation and server in the organization, all disguised as a legitimate Microsoft update. This turns the trusted service into a weapon of mass distribution.”
Microsoft and researchers tracking the vulnerability consistently noted that Windows Server Update Services should never be publicly exposed to the internet. Attackers can’t exploit the unauthenticated vulnerability in Windows Server Update Services instances that block inbound traffic from the public internet.
Microsoft deprecated Windows Server Update Services in September, noting that it continues to support the software update distribution tool but it is no longer actively developed or slated for new features.
The post Attackers bypass patch in deprecated Windows Server update tool appeared first on CyberScoop.
Microsoft addressed the critical vulnerability earlier this month, but had to issue an emergency update to resolve issues it previously missed.
The post Attackers bypass patch in deprecated Windows Server update tool appeared first on CyberScoop. Read MoreCyberScoop
