Combine AI-driven security operations, multi-signal attack surface coverage and 24/7 Elite Threat Hunters to help you take your security program to the next level.
Get unlimited Incident Response with threat suppression guarantee - anytime, anywhere.
CTEM and advisory programs that identify security gaps and build proactive strategies to address them.
Multi-agent Generative AI system embedded across eSentire’s Security Operations platform to scale human expertise.
Extended Detection andOpen XDR with Agentic AI & machine learning that eliminates noise, enables real-time detection and response, and automatically blocks threats.
Customer PortalSee what our SOC sees, review investigations, and see how we are protecting your business.
Platform IntegrationsSeamless integrations and threat investigation across your existing tech stack.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
Threat Response Unit (TRU)Proactive threat intelligence, original threat research and a world-class team of seasoned industry veterans.
Cyber Resilience TeamExtend your team capabilities and prevent business disruption with expertise from eSentire.
Response and RemediationWe balance automated blocks with rapid human-led investigations to manage threats.
Flexible MDR pricing and packages that fit your unique security requirements.
Entry level foundational MDR coverage
Comprehensive Next Level eSentire MDR
Next Level eSentire MDR with Cyber Risk Advisors to continuously advance your security program
Stop ransomware before it spreads.
Identity ResponseStop identity-based cyberattacks.
Zero Day AttacksDetect and respond to zero-day exploits.
Cybersecurity ComplianceMeet regulatory compliance mandates.
Third-Party RiskDefend third-party and supply chain risk.
Cloud MisconfigurationEnd misconfigurations and policy violations.
Cyber RiskAdopt a risk-based security approach.
Mid-Market SecurityMid-market security essentials to prioritize.
Sensitive Data SecurityProtect your most sensitive data.
Cyber InsuranceMeet insurability requirements with MDR.
Cyber Threat IntelligenceOperationalize cyber threat intelligence.
Security LeadershipBuild a proven security program.
THE THREAT The eSentire Threat Response Unit (TRU) is aware of claims that threat actors are now actively exploiting the critical Windows Server Update Service (WSUS)…
THE THREAT On October 15th, 2025, F5 disclosed that the organization was impacted by a breach involving an unspecified state-sponsored threat actor. The threat actors were…
eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.
About Us Leadership CareersWe provide sophisticated cybersecurity solutions for Managed Security Service Providers (MSSPs), Managed Service Providers (MSPs), and Value-Added Resellers (VARs). Find out why you should partner with eSentire, the Authority in Managed Detection and Response, today.
Search our site
Multi-Signal MDR with 300+ technology integrations to support your existing investments.
24/7 SOC-as-a-Service with unlimited threat hunting and incident handling.
We offer three flexible MDR pricing packages that can be customized to your unique needs.
The latest security advisories, blogs, reports, industry publications and webinars published by TRU.
Compare eSentire to other Managed Detection and Response vendors to see how we stack up against the competition.
See why 2000+ organizations globally have chosen eSentire for their MDR Solution.
The eSentire Threat Response Unit (TRU) is aware of claims that threat actors are now actively exploiting the critical Windows Server Update Service (WSUS) vulnerability CVE-2025-59287. CVE-2025-59287 (CVSS: 9.8) - Windows Server Update Service (WSUS) Remote Code Execution (RCE) vulnerability. A remote and unauthenticated threat actor may "send a crafted event that triggers unsafe object deserialization in a legacy serialization mechanism" resulting in unauthenticated RCE.
The vulnerability was initially disclosed on October 14th, 2025, and Proof-of-Concept (PoC) exploit code was released on October 17th, 2025. Active exploitation of this vulnerability was first reported beginning on October 23rd, 2025, with exploitation attempts continuing into October 24th, 2025. At this time, real-world attacks are reported to have resulted in reconnaissance and potential hands-on keyboard activity.
Given the criticality of the vulnerability, the existence of PoC exploit code, and confirmed exploitation attempts, it is critical for organizations to apply recommended security patches immediately.
CVE-2025-59287 was first disclosed on October 14th, within Microsoft's October 2025 Patch Tuesday release, where Microsoft indicated that no exploitation had been observed, but assessed that exploitation was "More Likely". On October 17th, 2025, Proof-of-Concept (PoC) exploit code was published by HawkTrace for a critical CVE-2025-59287.
Within their analysis of the vulnerability, HawkTrace claims that the vulnerability stems from the unsafe deserialization of AuthorizationCookie objects that are sent to the GetCookie() endpoint, which are "subsequently deserialized through BinaryFormatter without proper type validation", leading to Remote Code Execution (RCE) with System privileges.
On October 23rd, Microsoft pushed an out-of-band emergency update to fully address the vulnerability that supersedes the "previous, incomplete fix from the October Patch Tuesday release". Microsoft updated their page on the vulnerability, confirming the release of PoC exploit code, the new patches, and confirming that Windows servers are not impacted if they do not have the WSUS Server role enabled. Microsoft also provided workaround steps if patching was not immediately possible, which involve disabling the WSUS Server Role if it is enabled on the server, and blocking inbound traffic to ports 8530 and 8531 on the host firewall, which will render WSUS non-operational.
Following the emergency patches, a report published by Eye Security on October 24th confirmed that exploitation of CVE-2025-59287 has been observed in the wild, after receiving an alert for an attack involving reconnaissance and suspected Hands On Keyboard activity. This was followed be secondary confirmation of observed exploitation by Huntress Labs. In the afternoon of October 24th, CISA added CVE-2025-59287 to the Known Exploited Vulnerabilities catalog, giving Federal agencies until November 14th, to ensure security patches are deployed.
Given the publicly available PoC exploit code and reports of ongoing exploitation, organizations should immediately perform a business impact review to determine if they are vulnerable to CVE-2025-59287 and apply relevant security patches or mitigation steps as soon as possible. eSentire's Threat Intelligence team assesses with high confidence that exploitation attempts of CVE-2025-59287 will become more widespread in the near future.
References:
[1] https://hawktrace.com/blog/CVE-2025-59287
[2] https://nvd.nist.gov/vuln/detail/CVE-2025-59287
[3] https://www.bleepingcomputer.com/news/microsoft/microsoft-october-2025-patch-tuesday-fixes-6-zero-days-172-flaws/
[4] https://winbuzzer.com/2025/10/24/microsoft-issues-emergency-patch-for-actively-exploited-windows-server-flaw-cve-2025-59287-xcxwbn/
[5] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
[6] https://research.eye.security/wsus-deserialization-exploit-in-the-wild-cve-2025-59287/
[7] https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
[8] https://www.cisa.gov/news-events/alerts/2025/10/24/cisa-adds-two-known-exploited-vulnerabilities-catalog
[9] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[10] https://support.microsoft.com/en-us/topic/october-23-2025-kb5070883-os-build-17763-7922-out-of-band-860bc03c-52fb-407c-89b2-14ecf4893c5c