On 24 October 2025, Microsoft released an out-of-band security update for CVE-2025-59287, a critical (CVSS 9.8) remote code execution vulnerability in the WSUS Server Role on Windows Server (2012/2012 R2, 2016, 2019, 2022, and 2025). The flaw stems from unsafe deserialization in WSUS’s reporting web services, enabling a remote, unauthenticated attacker to send crafted requests and execute arbitrary code with SYSTEM privileges on a vulnerable server.
Microsoft confirmed that the October Patch Tuesday update did not fully mitigate the issue and urged immediate deployment of the new out-of-band patches [1]. As exploitation activity has already been detected in the wild, making prompt remediation critical for all WSUS-enabled environments [2].
This blog examines the WSUS service, the root cause of CVE-2025-59287, available proof-of-concept exploits, and the recommended mitigation and workaround strategies.
Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform
Windows Server Update Services (WSUS) is a Windows Server role that allows organizations to centrally manage, approve, and distribute Microsoft updates across all Windows endpoints in their environment. Instead of each machine connecting directly to Microsoft Update over the internet, WSUS acts as an internal update repository, improving control, bandwidth efficiency, and compliance.
Client systems periodically communicate with the WSUS server over HTTP (port 8530) or HTTPS (port 8531) to request update metadata and download approved patches. Administrators can define update policies, automate deployment schedules, and monitor update status across the network, making WSUS a key infrastructure component in enterprise patch management and compliance operations.
The vulnerability lies within the WSUS component responsible for handling the AuthorizationCookie objects, specifically in the Microsoft.UpdateServices.Internal.Authorization.EncryptionHelper.DecryptData() method.
The core issue is the use of the insecure .NET BinaryFormatter for deserializing encrypted cookie data without proper type validation.
When an authorization cookie is received via the GetCookie() SOAP endpoint, the server attempts to decrypt and deserialize its contents.
As shown in the provided source code snippet, after decryption, the data is passed directly to the BinaryFormatter.Deserialize() method if the object is not of the hardcoded type UnencryptedCookieData:
|
// Source snippet from DecryptData method |
The use of BinaryFormatter.Deserialize() on arbitrary user-controllable input (the encrypted cookie data) is a classic unsafe deserialization vulnerability.
An attacker can craft a malicious gadget chain payload (often generated using tools like ysoserial.net) that, when deserialized by BinaryFormatter, forces the application to execute arbitrary code. Since the WSUS service often runs with high privileges (e.g., SYSTEM), this leads to a critical RCE.
The exploitation flow is as follows.
The exploitation involves two main parts: a payload generator and the SOAP request [3].
The following C# code snippet illustrates how the serialized gadget chain (from ysoserial.net) is encrypted using the hardcoded key and an IV of all zeros:
|
// Proof-of-Concept (PoC) Encryption Logic |
The ysooo string below is a Base64-encoded serialized object (likely an IComparer gadget chain) that, upon deserialization, triggers a command like cmd.exe /c calc.
|
// Serialized Gadget Chain (Partial, for illustration) |
The final encrypted payload ([GENERATED PAYLOAD]) is placed into the AuthorizationCookie element of a SOAP request to the GetCookie endpoint:
|
POST /ClientWebService/Client.asmx HTTP/1.1 |
Threat actors have been observed actively exploiting this vulnerability in the wild, targeting exposed WSUS instances, often on the default ports 8530 and 8531 [2].
The typical attack chain involves:
The observed process chains indicate execution via the main WSUS processes
|
wsusservice.exe → cmd.exe → cmd.exe → powershell.exe |
and,
|
w3wp.exe → cmd.exe → cmd.exe → powershell.exe |
Immediate action is required to prevent compromise.
Apply the security update released by Microsoft immediately. This patch addresses the vulnerability by implementing secure serialization mechanisms and/or strict type validation, preventing the deserialization of malicious object types. Refer to the official Microsoft Security Response Center (MSRC) advisory for the specific updates for your Windows Server version.
The vulnerability is unauthenticated and exploitable over the network. Restrict network access to the WSUS service ports (8530/TCP and 8531/TCP) to only the clients and management hosts that explicitly require it. Blocking inbound traffic on these ports from the public internet is a critical defense-in-depth measure.
System administrators should immediately review logs for signs of exploitation.
|
Artifact |
Description |
Detection Focus |
|
C:\inetpub\logs\LogFiles\W3SVC*\u_ex*.log |
HTTP service logs |
POST requests to /ClientWebService/Client.asmx or other WSUS endpoints with large payload sizes or repeated access attempts. |
|
Process Creation Logs |
Windows Event Logs/EDR |
Child processes (cmd.exe, powershell.exe) spawned by wsusservice.exe or w3wp.exe(specifically the WSUS application pool). |
|
WSUS Log File |
C:\Program Files\Update Services\Logfiles\SoftwareDistribution.log |
Review for deserialization errors (e.g., System.Reflection.TargetInvocationException). |
A Sigma rule for detecting the suspicious child process activity is provided below [2].
|
# Sigma Rule for Suspicious WSUS Child Process |
We strongly recommend simulating exploited vulnerabilities targeting WSUS and safely emulating the adversarial behaviours observed in CVE-2025-59287 attack campaigns to verify how well your controls stop unauthenticated RCE and post-exploit activity.
With the Picus Security Validation Platform, you can also test your defences against other high-profile vulnerabilities, for example CVE-2025-59287, Log4Shell, and ProxyLogon, in minutes using a 14-day free trial.
Picus Threat Library includes the following threat for WSUS CVE-2025-59287 RCE attacks.
|
Threat ID |
Threat Name |
Attack Module |
|
99677 |
WSUS Web Attack Campaign |
Web Application |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] “Security Update Guide - Microsoft Security Response Center.” Available: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287. [Accessed: Oct. 25, 2025]
[2] C. Hudson, J. Maclachlan, J. Minton, J. Hammond, and L. O’Donnell-Welch, “Exploitation of Windows Server Update Services Remote Code Execution Vulnerability (CVE-2025-59287),” Huntress. Available: https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability. [Accessed: Oct. 25, 2025]
[3] HawkTrace, “CVE-2025-59287 WSUS Remote Code Execution,” HawkTrace Research, Oct. 14, 2025. Available: https://hawktrace.com/blog/CVE-2025-59287. [Accessed: Oct. 25, 2025]