Security researchers are warning that cyber threat actors are abusing a critical vulnerability in Microsoft Windows Server Update Service. 

The vulnerability, tracked as CVE-2025-59287, involves deserialization of untrusted data and could allow intruders to execute code without authorization.

Researchers at Huntress said they have seen attackers exploiting the vulnerability in four different customers’ networks. 

Senior security researcher John Hammond described the attack as a simple “point-and-shoot” technique, noting that the recent release of a proof of concept made the attack trivially accessible for any hacker to launch. 

Microsoft issued out-of-band security updates on Thursday to address the vulnerability. “We rereleased this CVE after identifying that the initial update did not fully mitigate the issue,” a Microsoft spokesperson told Cybersecurity Dive. 

Experts urged organizations to immediately apply the new patch.

“The currently trending WSUS vulnerability is a critical issue that should receive top priority for patching in any environment,” Jimi Sebree, senior security researcher at Horizon3.ai, told Cybersecurity Dive. “Its presence is due to how juicy of a target the service is.”

Hackers who compromise the service can move laterally inside a system and obtain significant additional access, Sebree said.

The Windows Server Update Service allows IT administrators to manage the deployment of Microsoft product updates across their computer systems. 

The Cybersecurity and Infrastructure Security Agency on Friday added the vulnerability to its Known Exploited Vulnerabilities catalog.

In an advisory released late Friday, CISA urged users to identify servers that are vulnerable to exploitation and immediately apply the upgrades. These servers have WSUS Server Role enabled and ports open to 8530/8531, according to CISA.

“While there is no evidence of compromise within federal networks, the threat from these actors is real — organizations should immediately apply Microsoft’s out-of-band patch and follow mitigation guidance to protect their systems,” Nick Andersen, executive assistant director for the Cybersecurity Division at CISA, told Cybersecurity Dive Saturday via email.

Shadowserver on Sunday reported about 2,800 instances that were visible, however researchers were still working to confirm the number that are actually vulnerable. 

Researchers at Arctic Wolf said they were tracking a threat campaign that might be related to the vulnerability, although they said they could not confirm a link.

Palo Alto Networks Unit 42 warned that WSUS is often neglected by IT security teams, making it a vulnerable target for hackers. 

“By compromising this single server, an attacker can take over the entire patch distribution system,” Justin Moore, senior manager, threat intel research at PAN Unit 42, told Cybersecurity Dive. “With no authentication, they can gain SYSTEM-level control and execute a devastating internal supply chain attack.”

An attack could potentially send malware to all workstations under the guise of a legitimate Microsoft update, Moore said.

Editor’s note: Updates with comment from Shadowserver, CISA and Palo Alto Networks.