Summary

The CVE-2025-59287 is a remote code execution (RCE) vulnerability caused by unsafe deserialization in WSUS web services.
An unauthenticated attacker can send a crafted SOAP request to WSUS endpoints and trigger arbitrary code execution as SYSTEM.

Put simply: an attacker could control your WSUS server and use it to distribute malicious updates or move laterally across your network.

Microsoft classification: CVE-2025-59287 - Security Update Guide - Microsoft - Windows Server Update Service (WSUS) Remote Code Execution Vulnerability

First Detection in the Wild

Just days after the patch landed, researchers and vendors started seeing scans and exploitation attempts aimed at WSUS servers on default ports 8530 and 8531. Huntress published telemetry from live attacks on October 23–24, 2025, and a public proof-of-concept (PoC) from Hawktrace quickly circulated in technical circles. That PoC shows how an attacker can request an authorization cookie and then abuse it to deliver a malicious payload.

Once the PoC was public, defenders were left with hours rather than weeks to respond, so speed was crucial.

How It Works & PoC Highlights

At the heart of the issue is unsafe deserialization. WSUS accepts an AuthorizationCookie, decrypts it, and uses .NET’s BinaryFormatter.Deserialize() to turn the data into objects without checking what those objects are. Attackers can craft an object graph that executes code when deserialized.

Key endpoints:

/ClientWebService/Client.asmx
/ReportingWebService/ReportingWebService.asmx
/SimpleAuthWebService/SimpleAuth.asmx

‍

Typical exploit behavior seen in the wild:

• An attacker sends a malicious POST request to a WSUS SOAP endpoint.
• The WSUS process (wsusservice.exe) or IIS worker (w3wp.exe) deserializes the payload.
• The process spawns cmd.exe and powershell.exe, running base64-encoded scripts to enumerate, collect, and exfiltrate data.
• The PoC by Hawktrace demonstrates the exact mechanics useful for defenders to test detection.

Reference PoC: https://gist.github.com/hawktrace/76b3ea4275a5e2191e6582bdc5a0dc8b

Detection - what to watch for

If you manage Windows estates, tell your SOC to look for:

• wsusservice.exe or w3wp.exe spawning cmd.exe or powershell.exe (especially with -EncodedCommand or long command lines).
• HTTP logs with POSTs to the WSUS endpoints above containing unusually large cookies or base64 strings.
• WSUS log entries showing serialization/deserialization errors.
• Any outbound connections from a WSUS host to unknown endpoints immediately after such POSTs.

A Sigma rule for detection:

title: Suspicious WSUS Child Process Activity – Possible CVE-2025-59287 Exploitation
logsource:
  product: windows
  category: process_creation
detection:
  selection:
    ParentImage|endswith:
      - '\\wsusservice.exe'
      - '\\w3wp.exe'
    Image|endswith:
      - '\\cmd.exe'
      - '\\powershell.exe'
  condition: selection
level: high

‍

Florian Roth from Nextron’s team created the YARA rule:

rule EXPL_WSUS_Exploitation_Indicators_Oct25 {
   meta:
      description = "Detects indicators related to the exploitation of the Windows Server Update Services (WSUS) Remote Code Execution Vulnerability (CVE-2025-59287)"
      author = "Florian Roth"
      reference = "https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability"
      date = "2025-10-25"
      score = 75
   strings:
      // Error traceback found in C:\Program Files\Update Services\Logfiles\SoftwareDistribution.log
      $sl1 = "at System.Data.DataSet.DeserializeDataSetSchema(SerializationInfo info, StreamingContext context" ascii wide
      $sl2 = "at System.Runtime.Serialization.ObjectManager.DoFixups()" ascii wide
      $sl3 = "at System.Runtime.Serialization.ObjectManager.CompleteISerializableObject" ascii wide
      $sl4 = "System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation." ascii wide
      $sl5 = "ErrorWsusService.9HmtWebServices.CheckReportingWebServiceReporting WebService WebException:System.Net.WebException: Unable to connect to the remote server" ascii wide

      // Encoded PowerShell command observed in exploitation attempts
      $se1 = "powershell -ec try{$r= (&{echo https://" ascii wide base64 base64wide
      $se2 = ":8531; net user /domain; ipconfig " ascii wide base64 base64wide

      // Commands observed in follow-up activity
      $sa1 = "whoami;net user /domain" ascii wide base64 base64wide
      $sa2 = "net user /domain; ipconfig /all" ascii wide base64 base64wide
   condition:
      all of ($sl*)
      or 1 of ($se*)
      or all of ($sa*)
}

‍

KQL query for detection of malicious activity:

DeviceProcessEvents
| where( InitiatingProcessParentFileName == "w3wp.exe" and InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe")) or InitiatingProcessParentFileName == "wsusservice.exe"

What You Should Do

• Patch WSUS right now. Microsoft released an out-of-band fix, install it. Latest Windows Server versions mitigated for CVE-2025-59287.

• If you can’t patch immediately, isolate WSUS from untrusted networks and make sure ports 8530/8531 aren’t exposed.
• Look through logs and EDR for the behaviors above. If you find evidence, treat it like a real compromise: isolate, collect, and investigate.

This vulnerability is a good reminder that infrastructure we “trust” (like patch servers) are high value targets. Expect ongoing scans, more PoCs, and perhaps attackers trying to weaponize WSUS as a distribution channel. If you run an MSSP, tell your customers you’ve prioritized WSUS servers and are monitoring aggressively.