Microsoft has identified a remote code execution (RCE) vulnerability in the Windows Server Update Services (WSUS) reporting web service. For more information about the security fix, please review CVE-2025-59287.
Windows servers that do not have the WSUS server role enabled are not vulnerable to this vulnerability.
An out-of-band (OOB) update was recently released to address this issue. This is a cumulative update, so administrators do not need to apply any previous updates before installing this update, as it supersedes all previous updates for affected versions.
If administrators have not installed the October 2025 Windows security update yet, we recommend applying this OOB update instead. After installing the update, reboot your system.
If administrators have not yet deployed the October 2025 Windows security update and your IT environment includes devices running on the versions of Windows listed below, we recommend applying this OOB update instead:
- Windows Server 2025 (KB5070881)
- Windows Server, version 23H2 (KB5070879)
- Windows Server 2022 (KB5070884)
- Windows Server 2019 (KB5070883)
- Windows Server 2016 (KB5070882)
- Windows Server 2012 R2 (KB5070886)
- Windows Server 2012 (KB5070887)
Please email crimsonservicedesk@wsu.edu for any questions.