Critical WSUS Deserialization Vulnerability Exploited for SYSTEM-Level Compromise (CVE-2025-59287)
November 10th, 2025
Critical
Our Cyber Threat Intelligence Unit has identified active exploitation of a critical unauthenticated remote code execution vulnerability in Windows Server Update Services (WSUS), tracked as CVE-2025-59287. This vulnerability results from unsafe deserialization of untrusted data within WSUS web components, specifically the AuthorizationCookie object in legacy serialization logic. Remote attackers can exploit this by sending specially crafted POST requests to WSUS endpoints over TCP ports 8530/8531, resulting in arbitrary code execution with SYSTEM-level privileges. Public reports confirm both proof-of-concept exploit code and in-the-wild attacks that involve Base64-encoded PowerShell payloads that execute commands, gather host information, and exfiltrate results to webhook[.]site. Microsoft issued out-of-band security updates on October 23–24, 2025, and CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, with a federal remediation deadline of November 14, 2025. Systems are only affected if the WSUS Server Role is installed (it is disabled by default on Windows Server).
Technical Details
Attack Type: Unauthenticated remote code execution (RCE) against WSUS → full SYSTEM compromise.
Severity: Critical (CVSS 9.8).
CVE ID: CVE-2025-59287.
Root Cause: Unsafe deserialization / improper handling of untrusted serialized data in WSUS web/reporting services (AuthorizationCookie / legacy serialization path).
Technique: Malicious serialized payloads sent via crafted POST requests to WSUS endpoints (e.g., /SimpleAuth/, /ClientWebService/, /ReportingWebService/), allowing arbitrary code execution as the WSUS service process (w3wp.exe).
Affected Components: Windows Server systems with the WSUS Server Role enabled (default ports 8530/8531).
Patch Status: Fixed in Microsoft’s October 2025 Out-of-Band (OOB) security update released Oct 23–24, 2025.
Mitigation: If immediate patching is not possible, administrators should either disable the WSUS Server role or block inbound TCP ports 8530 and 8531 at the host or perimeter firewall until the update can be applied.
A system reboot is required after installing the update.
Impact
Successful exploitation of CVE-2025-59287 (WSUS RCE) grants complete SYSTEM-level control of the affected WSUS server, allowing adversaries to:
Execute arbitrary code and spawn child processes (cmd.exe, powershell.exe, rundll32.exe) under SYSTEM.
Deploy persistent services, scheduled tasks, or webshells.
Tamper with WSUS metadata to deliver malicious updates to downstream clients.
Exfiltrate stored credentials, configuration data, and client metadata.
Propagate laterally using harvested accounts or update channels.
Modify logs and forensic artifacts to evade detection.
Detection Method
Network and HTTP Indicators:
Suspicious or malformed POST requests to /SimpleAuth/, /ClientWebService/, /ReportingWebService/, or similar WSUS paths.
Large serialized payloads or non-standard AuthorizationCookie fields.
Process Telemetry:
w3wp.exe (IIS worker) spawning unexpected child processes (cmd.exe, powershell.exe, rundll32.exe).
PowerShell commands containing Base64-encoded data executed under SYSTEM context.
Filesystem and Persistence Artifacts:
New or modified .aspx/.ashx files in WSUS or IIS directories.
New services or scheduled tasks created shortly after HTTP activity.
Forensic Response:
Capture IIS logs, memory dumps of w3wp.exe, and network packet captures for analysis.
Hunt for PowerShell execution traces referencing webhook[.]site.
Authentication Anomalies: Unexpected administrator account creation or lateral logons originating from the WSUS host.
Indicators of Compromise
Type | Indicator |
Port | 8530/TCP |
Port | 8531/TCP |
Process Name | cmd.exe |
Process Name | PowerShell |
URL | webhook[.]site |
HTTP Header | aaaa |
Recommendations
Apply Patches Immediately: Install Microsoft’s October 2025 OOB update for WSUS on all affected servers and reboot.
Temporary mitigations (if patching is delayed):
Disable the WSUS Server role or block inbound TCP ports 8530 and 8531 at the host/perimeter firewall.
Deploy WAF/IPS rules to detect and block malformed POST requests to WSUS endpoints and oversized or unusual serialized payloads or AuthorizationCookie-like fields.
Network Controls: Deploy WAF/IPS signatures to detect anomalous serialized payloads or malformed POST requests to WSUS paths.
Threat Hunting: Correlate HTTP requests with process creation events and PowerShell execution logs.
Credential Security: Rotate any credentials stored or used on WSUS hosts; enforce MFA for administrative access.
Forensic Containment: Isolate suspected hosts before cleanup and preserve memory, IIS logs, and PCAPs for analysis.
Conclusion
CVE-2025-59287 is a critical, actively exploited remote code execution vulnerability in Windows Server Update Service (WSUS) that allows attackers to execute arbitrary code on affected servers without authentication. Successful compromise allows for complete takeover of WSUS and creates a pathway for supply-chain abuse through manipulated updates. We urge organizations to treat unpatched WSUS servers as critical exposure points, enforce immediate remediation, and review logs after patching to detect any prior compromise attempts. Ongoing monitoring of default WSUS ports (8530/8531) and anomalies in serialized payloads is crucial to prevent reinfection or lateral movement.