PKCERT warns of high-risk vulnerability in Microsoft Windows server

Pakistan’s national cyber-incident response body, Pakistan Computer Emergency Response Team, has issued a critical security advisory concerning a high-risk vulnerability in Microsoft Windows Server Update Services, the software used by many organisations for patch management of Windows servers.

Microsoft Windows Server Update Services (WSUS) is the central system that large organisations (like government offices or major companies) use to manage, distribute, and install updates (patches) across their entire network of computers. The exploit works by unsafe deserialisation of the WSUS Authorisation Cookie: the attacker sends a corrupted permission note, like a cookie, to the server that tricks the system into executing the attacker's own code instead of ignoring the bad input.

The flaw allows for remote control execution (RCE) of a compromised system, which means that an attacker can remotely run their own malicious programs or commands on the vulnerable server from anywhere in the world, "leading to complete server compromise," according to the Pakistan Computer Emergency Response Team (PKCERT) advisory. The attacker is "unauthenticated", meaning they require no username or password to exploit this vulnerability, and PKCERT has said that this flaw is being "actively exploited in the wild."

How does this happen?

Serialising is when a web application converts complex data, like your session information or website permissions, into a compact format for easy sending and storage. When the information needs to be used again, the application then deserialises the information.

“Unsafe deserialisation" happens when a program blindly trusts data it’s deserialising, meaning it doesn’t check whether that data has been tampered with. If an attacker can modify that data —a cookie, token, or hidden field — and the server deserialises it without verification, the attacker can inject malicious code or commands that run on the server's side.

In this case, the WSUS Authorisation Cookie (a piece of data WSUS uses to know who’s connecting and what they can do) is not properly validated before being deserialised. Since WSUS servers manage updates across entire networks, a compromised WSUS host could push infected updates to thousands of connected machines, spreading malware or ransomware silently across corporate and government systems, stealing and transferring authentication and network data, or take full system control of all machines on a network (they can run any code they want).

According to PKCERT, they have given this vulnerability score on the Common Vulnerability Scoring System a value of 9.8, meaning a critical threat to national public and private systems. Any organisation is at risk if they have Windows systems that are not running the most updated versions, as well as systems that are publicly accessible, among others.

Combating the exploit

PKCERT has issued a few solutions to the problem. They recommend applying Microsoft's October 2025 out-of-band patch (a patch that was released outside of the normal patch cycle), temporarily blocking affected Internet ports, which act as doorways on your computer that let specific types of online traffic go in and out, and strengthening server security, like ensuring WSUS servers aren't exposed to the public internet.

They also call on organisations to be more vigilant with suspicious cyber activity and to track unauthorised server access to ensure the security of their organisations.