Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN740 _____________________________________________________________________ DATE : 28/10/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Windows Server Update Service (WSUS). ===================================================================== https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287 _____________________________________________________________________ Windows Server Update Service (WSUS) Remote Code Execution Vulnerability New Recently updated CVE-2025-59287 Security Vulnerability Released: Oct 14, 2025 Last updated: Oct 24, 2025 Assigning CNA Microsoft CVE.org link CVE-2025-59287  Impact Remote Code Execution Max Severity Critical Weakness CWE-502: Deserialization of Untrusted Data CVSS Source Microsoft Vector String CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C Metrics CVSS:3.1 9.8 / 8.8 Attack Vector Network Attack Complexity Low Privileges Required None User Interaction None Scope Unchanged Confidentiality High Integrity High Availability High Please see Common Vulnerability Scoring System for more information on the definition of these metrics. Executive Summary Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network. Exploitability The following table provides an exploitability assessment for this vulnerability at the time of original publication. Publicly disclosed No Exploited No Exploitability assessment Exploitation More Likely Mitigations Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation: The WSUS Server Role is not enabled by default on Windows servers. Windows servers that do not have the WSUS server role enabled are not vulnerable to this vulnerability. If the WSUS server role is enabled, the server will become vulnerable if the fix is not installed before the WSUS server role is enabled. Workarounds The following workarounds might be helpful in your situation. In all cases, Microsoft strongly recommends that you install the updates for this vulnerability as soon as possible even if you plan to leave either of these workarounds in place: If you are unable to install the October 23, 2025 out-of-band update, you can take any of the following actions to be protected against this vulnerability: If the WSUS Server Role is enabled on your server, disable it. Note that clients will no longer receive updates from the server if WSUS is disabled. Block inbound traffic to Ports 8530 and 8531 on the host firewall (as opposed to blocking only at the network/perimeter firewall) to render WSUS non-operational. Important: Do NOT undo either of these workarounds until after you have installed the update. FAQ How could an attacker exploit this vulnerability? A remote, unauthenticated attacker could send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism, resulting in remote code execution. What actions do I need to take to be protected from this vulnerability? To fully address this vulnerability: Windows Server customers should install the out-of-band update released on October 23, 2025. Windows Servers enrolled into the hotpatch program should install the out-of-band standalone security update released on October 24, 2025. If you cannot install the update immediately see the Workaround section for actions you can take to be protected. Will the out-of-band update released on October 23, 2025 require a Windows server reboot? Yes. After you install the update you will need to reboot your system. Will the out-of-band standalone security updates released on October 24, 2025 for Windows Servers enrolled into the hotpatch program require a reboot Yes. A reboot will be required only on servers that have WSUS enabled. This update will not reset the previous baseline. How I do get the October 23, 2025 out of band security update? The update is available through the following channels: For customers who automatically install updates, this update will be downloaded and installed automatically from Windows Update and Microsoft Update. The standalone package for this update is available on the Microsoft Update Catalog website. This update will automatically sync with Windows Server Update Services (WSUS). How do I get the October 24, 2025 out-of-band standalone security update for Windows Servers enrolled into the hotpatch program? Windows Server 2022: For customers who automatically install updates, this update will be downloaded and installed automatically from Windows Update. This update will automatically sync with Windows Server Update Services (WSUS). Windows Server 2025: For customers who automatically install updates, this update will be downloaded and installed automatically from Windows Update only. Why did the Temporal CVSS score change? Microsoft has updated the Exploit Code Maturity metric of the CVSS Temporal score from Unproven (U) to Proof-of-Concept (P) after confirming the availability of publicly disclosed PoC code for this CVE. Will an updated Windows Update offline scan file, Wsusscn2.cab, with this new security update be available? Yes. An updates scan file will be available at the time of, or shortly after, the release. Acknowledgements MEOW f7d8c52bec79e42795cf15888b85cbad Markus Wulftange with CODE WHITE GmbH https://code-white.com/ Microsoft recognizes the efforts of those in the security community who help us protect customers through coordinated vulnerability disclosure. See Acknowledgements for more information. Security Updates To determine the support lifecycle for your software, see the Microsoft Support Lifecycle. Release date Product Platform Impact Max Severity Article Download Build numbers Oct 14, 2025 Windows Server 2012 R2 (Server Core installation) - Remote Code Execution Critical Windows Server 2012 R2 (Server Core installation) 5070886  Security Update  6.3.9600.22826 Oct 14, 2025 Windows Server 2012 R2 - Remote Code Execution Critical Windows Server 2012 R2 5070886  Security Update  6.3.9600.22826 Oct 14, 2025 Windows Server 2012 (Server Core installation) - Remote Code Execution Critical Windows Server 2012 (Server Core installation) 5070887  Security Update  6.2.9200.25728 Oct 14, 2025 Windows Server 2012 - Remote Code Execution Critical Windows Server 2012 5070887  Security Update  6.2.9200.25728 Oct 14, 2025 Windows Server 2016 (Server Core installation) - Remote Code Execution Critical Windows Server 2016 (Server Core installation) 5070882  Security Update  10.0.14393.8524 Oct 14, 2025 Windows Server 2016 - Remote Code Execution Critical Windows Server 2016 5070882  Security Update  10.0.14393.8524 Oct 14, 2025 Windows Server 2025 - Remote Code Execution Critical Windows Server 2025 5070881  5070893  Security Update  Standalone Security Update 10.0.26100.6905 10.0.26100.6905 Oct 14, 2025 Windows Server 2022, 23H2 Edition (Server Core installation) - Remote Code Execution Critical 5070879  Security Update  10.0.25398.1916 Oct 14, 2025 Windows Server 2025 (Server Core installation) - Remote Code Execution Critical 5070881  5070893  Security Update  Standalone Security Update 10.0.26100.6905 10.0.26100.6905 Oct 14, 2025 Windows Server 2022 (Server Core installation) - Remote Code Execution Critical 5070884  5070892  Security Update  Standalone Security Update 10.0.20348.4297 10.0.20348.4297 Oct 14, 2025 Windows Server 2022 - Remote Code Execution Critical 5070884  5070892  Security Update  Standalone Security Update 10.0.20348.4297 10.0.20348.4297 Oct 14, 2025 Windows Server 2019 (Server Core installation) - Remote Code Execution Critical 5070883  Security Update  10.0.17763.7922 Oct 14, 2025 Windows Server 2019 - Remote Code Execution Critical 5070883  Security Update  10.0.17763.7922 Disclaimer The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions 2.1 Oct 24, 2025 Updated links to security updates. This is an informational change only. 3.0 Oct 24, 2025 Security hotpatch updates are now available for supported versions of Windows Server 2022 and Windows Server 2025. Note that a reboot will be required after you install these hotpatch updates. 2.0 Oct 23, 2025 To comprehensively address CVE-2025-59287, Microsoft has released an out of band security update for the following supported versions of Windows Server: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022, 23H2 Edition (Server Core installation), and Windows Server 2025. Note that a reboot will be required after you install the updates. 1.0 Oct 14, 2025 Information published. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================