"Microsoft hasn't updated its advice about the flaw to reveal to note the active in-the-wild exploitation detected by multiple credible sources. Redmond instead lists CVE-2025-59287 as not having been publicly disclosed, or exploited. The software giant does rate the bug as "exploitation more likely," which may be the understatement of the month. "We are actively investigating the exploitation of CVE-2025-59287 by a newly identified threat actor we are tracking as UNC6512, across multiple victim organizations,""
""Following initial access, the actor has been observed executing a series of commands to conduct reconnaissance on the compromised host and the associated environment," GTIG continued. "We have also observed exfiltration from impacted hosts." CVE-2025-59287, which affects Windows Server versions 2012 through 2025, stems from insecure deserialization of untrusted data and allows unauthenticated attackers to execute arbitrary code on vulnerable systems."
A critical remote code execution vulnerability in Windows Server Update Services, CVE-2025-59287, is being actively exploited against Windows Server 2012 through 2025. The flaw arises from insecure deserialization of untrusted data and permits unauthenticated attackers to execute arbitrary code on vulnerable WSUS servers. Google Threat Intelligence Group reports a threat actor tracked as UNC6512 conducting reconnaissance and exfiltration after initial access. Microsoft issued an emergency patch but has not updated advisory text to reflect active exploitation and initially rated the bug as "exploitation more likely." Servers without the WSUS role are not affected.
Read at Theregister
Unable to calculate read time
Collection
[
|
...
]