Microsoft has identified a remote code execution (RCE) vulnerability in the Windows Server Update Services (WSUS) reporting web service. Windows servers that do not have the WSUS server role enabled are not vulnerable to this vulnerability. For more information about the security fix, see CVE-2025-59287.
An out-of-band (OOB) update was released today, October 23, 2025, to address this issue. This is a cumulative update, so you do not need to apply any previous updates before installing this update, as it supersedes all previous updates for affected versions. If you haven’t installed the October 2025 Windows security update yet, we recommend you apply this OOB update instead. After you install the update you will need to reboot your system.
If you have not yet deployed the October 2025 Windows security update and your IT environment includes devices running on the versions of Windows listed below, we recommend you apply this OOB update instead: