A critical security flaw has been identified in Microsoft’s Windows Server Update Services (WSUS), designated as CVE-2025-59287. This vulnerability allows unauthenticated attackers to execute remote code with SYSTEM privileges on affected servers. With a CVSS v3.1 score of 9.8, the flaw arises from unsafe deserialization of untrusted data within WSUS’s AuthorizationCookie handling mechanism.
Understanding WSUS and Its Role
WSUS is a vital component in Windows Server environments, enabling IT administrators to manage and distribute Microsoft updates across networks. This ensures that systems remain up-to-date and secure. Despite being deprecated for new features, WSUS continues to be widely utilized in production settings and receives ongoing security support from Microsoft.
Details of the Vulnerability
The vulnerability impacts all supported versions of Windows Server from 2012 through 2025. It specifically targets the GetCookie() endpoint, which processes encrypted AuthorizationCookie objects without sufficient validation. The core issue lies in the EncryptionHelper.DecryptData() method. Here, incoming cookie data, encrypted using AES-128-CBC, is decrypted and directly passed to .NET’s BinaryFormatter for deserialization. This legacy serializer lacks type restrictions, allowing attackers to craft malicious payloads that trigger arbitrary code execution upon processing. Microsoft has classified this flaw as Exploitation More Likely, emphasizing its potential to propagate across networked WSUS servers.
Attack Methodology and Proof-of-Concept
The exploitation process begins with an unauthenticated HTTP POST request to the WSUS ClientWebService endpoint on port 8530. Attackers send a SOAP envelope containing a manipulated AuthorizationCookie with a PlugInId of SimpleTargeting and encrypted payload data. The server decrypts the cookie using a hardcoded key (877C14E433638145AD21BD0C17393071), removes the IV block, and deserializes the result via BinaryFormatter.
A publicly available proof-of-concept (PoC), shared by researcher hawktrace on GitHub, demonstrates payload generation in C#. This PoC serializes a malicious delegate to launch calc.exe or similar commands, encrypts it without padding, and outputs a Base64-encoded string for the SOAP request. The trace reveals the call chain from Client.GetCookie() through AuthorizationManager to DecryptData(), where the deserialization occurs under SYSTEM context. Notably, no user interaction is required, making this vulnerability particularly dangerous for exposed WSUS instances.
Potential Impact and Risks
This remote code execution (RCE) vulnerability could facilitate supply-chain attacks, where compromised WSUS servers distribute malicious updates to client systems. Although no active exploits have been reported in the wild, the availability of the PoC increases the urgency for organizations to apply patches promptly. Microsoft credits researcher MEOW for the discovery and strongly recommends immediate application of the October 2025 security updates via Windows Update or WSUS itself.
Mitigation Strategies
To mitigate the risks associated with this vulnerability, organizations should:
– Isolate WSUS Servers: Ensure that WSUS servers are isolated from untrusted networks to reduce exposure.
– Implement Firewall Rules: Configure firewalls to restrict access to WSUS servers, allowing only authorized systems to communicate.
– Monitor Network Traffic: Regularly monitor for anomalous SOAP traffic that could indicate exploitation attempts.
– Migrate to Safer Alternatives: In the long term, consider migrating away from BinaryFormatter to more secure alternatives like JSON or XML serializers with strict validation protocols.
Given that WSUS underpins critical update mechanisms, delaying patches could lead to widespread network breaches, especially in an era marked by escalating ransomware attacks and nation-state threats.
Conclusion
The release of a PoC exploit for CVE-2025-59287 underscores the critical nature of this vulnerability within WSUS. Organizations must act swiftly to apply the necessary patches and implement recommended security measures to protect their infrastructure. Staying vigilant and proactive in addressing such vulnerabilities is essential to maintaining a secure and resilient IT environment.
