Executive Summary

A critical vulnerability, CVE-2025-59287, has been identified in MicrosoftWindows Server Update Services (WSUS), prompting the vendor to issue an emergency out-of-band patch on October 24, 2025. This remote code execution (RCE) flaw, with a CVSS score of 9.8, enables unauthenticated attackers to execute arbitrary code with SYSTEM privileges on affected Windows Server installations running the WSUS role. The vulnerability is being actively exploited in the wild, with public proof-of-concept (PoC) code available and multiple security organizations confirming real-world attacks. The exploitation is opportunistic, targeting any unpatched, internet-exposed WSUS servers, and poses a severe risk to enterprise environments due to the potential for full system compromise, lateral movement, and data exfiltration. Immediate patching is strongly advised, and organizations unable to patch should implement robust mitigations to prevent exploitation.

Threat Actor Profile

As of the publication of this report, there is no public evidence attributing exploitation of CVE-2025-59287 to specific advanced persistent threat (APT) groups. The exploitation observed to date appears to be opportunistic, with a wide range of threat actors leveraging the public PoC to target any vulnerable, exposed WSUS servers. This includes both financially motivated cybercriminals and potentially state-sponsored actors, given the criticality and ubiquity of WSUS in enterprise environments.

Researchers credited with discovery and analysis of the vulnerability include MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange of CODE WHITE GmbH. Their work has been instrumental in identifying the root cause, developing detection signatures, and informing the broader security community.

Technical Analysis of Malware/TTPs

CVE-2025-59287 is a deserialization vulnerability in the WSUS component of Microsoft Windows Server. The flaw resides in the handling of AuthorizationCookie objects by the GetCookie() endpoint. When a request is made to this endpoint, the server decrypts the cookie data using AES-128-CBC and then deserializes it using the .NET BinaryFormatter class. Critically, this deserialization process lacks proper type validation, allowing attackers to craft malicious serialized objects that, when deserialized, result in arbitrary code execution under the highly privileged SYSTEM account.

The vulnerability is classified under CWE-502: Deserialization of Untrusted Data. Attackers can exploit this by sending specially crafted HTTP requests to the WSUS web service, embedding a malicious payload within the AuthorizationCookie. Upon processing, the server executes the attacker's code, granting them full control over the system.

The attack surface is significant because WSUS is often exposed to internal networks and, in some cases, to the internet for remote management or distributed update scenarios. The exploit requires no authentication, user interaction, or prior access, making it highly attractive for both opportunistic and targeted threat actors.

The public PoC, released by the security researcher HawkTrace, demonstrates how to exploit the vulnerability by sending a serialized .NET payload that triggers code execution. The exploit chain typically involves the attacker sending a POST request to the vulnerable endpoint, with the payload encoded (often in Base64) and delivered via a custom HTTP header (commonly aaaa). The server, upon deserialization, spawns a new process (such as cmd.exe or powershell.exe) to execute the attacker's code.

Observed payloads have included .NET executables designed to enumerate network and user information, establish persistence, and exfiltrate sensitive data to attacker-controlled infrastructure. The use of the aaaa HTTP header for payload delivery is notable, as it can evade some logging and monitoring solutions that focus on standard headers or request bodies.

The vulnerability affects a broad range of Windows Server versions, including Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022 23H2 (Server Core), and Windows Server 2025. Both full and core installations are impacted if the WSUS role is enabled.

The technical severity is underscored by the attack's simplicity (network-based, no authentication required), the high privileges obtained (SYSTEM), and the potential for rapid lateral movement and domain compromise in enterprise environments.

Exploitation in the Wild

Active exploitation of CVE-2025-59287 began almost immediately after the public release of the PoC on October 22, 2025. Security firms such as Eye Security and Huntress have observed widespread scanning and exploitation attempts targeting exposed WSUS endpoints, particularly on TCP ports 8530 and 8531, which are the default ports for WSUS HTTP and HTTPS traffic.

Attackers have been observed delivering Base64-encoded .NET payloads via the aaaa HTTP header. Upon successful exploitation, the WSUS worker process spawns new instances of cmd.exe or powershell.exe, which are then used to execute further commands, download additional malware, or establish persistence. In several cases, attackers have used these footholds to enumerate network shares, extract user credentials, and pivot to other systems within the network.

Data exfiltration has been observed, with attackers sending sensitive information to domains such as webhook[.]site, which is commonly used for receiving exfiltrated data in real time. The attack chain typically follows the MITRE ATT&CK framework, with initial access via exploitation of a public-facing application (T1190), execution of commands and scripts (T1059), privilege escalation (T1068), defense evasion through obfuscated files or information (T1027), and exfiltration over web services (T1567.002).

Indicators of compromise include unexpected process creation by the WSUS worker process, especially instances of cmd.exe or powershell.exe, network connections to suspicious external domains, and unusual traffic on ports 8530 and 8531. Organizations should review logs for anomalous HTTP headers, particularly those named aaaa, and monitor for outbound connections to known exfiltration domains.

Victimology and Targeting

As of this report, there is no public evidence of specific APT group attribution, sector, or country targeting. Exploitation is opportunistic, targeting any organization with exposed and unpatched WSUS servers. The broad deployment of WSUS in enterprise environments means that organizations of all sizes and across all sectors are at risk if they have not applied the patch or implemented mitigations.

Mitigation and Countermeasures

The most effective mitigation is to apply the emergency out-of-band security update released by Microsoft for all supported Windows Server versions running WSUS. After applying the patch, a system reboot is required to ensure the update is fully effective.

For organizations unable to patch immediately, several temporary mitigations are recommended. Disabling the WSUS server role will eliminate the attack surface, though this may impact update management workflows. Alternatively, blocking inbound traffic to ports 8530 and 8531 on the host firewall will prevent external exploitation attempts. These workarounds should remain in place until the official patch can be applied.

Administrators should also monitor for indicators of compromise, including unexpected process creation by the WSUS worker process, anomalous HTTP headers in web server logs, and outbound connections to suspicious domains such as webhook[.]site. Enhanced logging and network monitoring can aid in early detection of exploitation attempts.

Official guidance and patch downloads are available via the Microsoft Security Update Guide for CVE-2025-59287. The Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities Catalog, mandating remediation by November 14, 2025, for federal agencies.

References

The following resources provide additional technical details, advisories, and detection guidance for CVE-2025-59287:

The Hacker News: Microsoft Issues Emergency Patch for Critical WSUS Flaw

NVD: CVE-2025-59287

Microsoft Security Update Guide: CVE-2025-59287

CISA KEV Catalog Entry: CVE-2025-59287

HawkTrace PoC: GitHub Gist

Eye Security (via NCSC-NL): NCSC-NL Advisory

Huntress Labs Twitter: @HuntressLabs

About Rescana

Rescana is committed to helping organizations navigate the rapidly evolving threat landscape. Our third-party risk management (TPRM) platform empowers security teams to identify, assess, and mitigate risks across their digital supply chain, providing continuous visibility and actionable intelligence. While this advisory focuses on a specific vulnerability in MicrosoftWSUS, our platform is designed to help you proactively manage and reduce your overall cyber risk exposure. If you have questions about this advisory, need assistance with incident response, or want to learn more about how Rescana can support your security program, please contact us at ops@rescana.com.