Unauthenticated Remote Code Execution Vulnerability in WSUS Service

A critical deserialization vulnerability was discovered in Microsoft Windows Server Update Services (WSUS) that allows unauthenticated attackers to execute arbitrary code on affected servers. The flaw is triggered by unsafe deserialization of WSUS data (AuthorizationCookie), enabling remote code execution at SYSTEM privileges and has been observed in active exploitation campaigns. Microsoft released an out-of-band (OOB) update after initial Patch Tuesday fixes did not fully mitigate the issue. 

• CVE ID: CVE-2025-59287
• Severity: Critical
• CVSS Score: 9.8
• EPSS Score: 9.40%
• Impact: Remote Code Execution
• Attack Vector: Network
• Authentication Required: No
• Vulnerable Component: WSUS deserialization code paths in Windows Server Update Services (/SimpleAuthWebService/SimpleAuth.asmx)

Technical Breakdown

CVE-2025-59287 is the result of unsafe deserialization in Microsoft Windows Server Update Services (WSUS). WSUS accepts an AuthorizationCookie payload that is decrypted and subsequently deserialized using legacy .NET formatters (notably BinaryFormatter, and in some code paths SoapFormatter) without adequate type validation or allow-listing. An attacker can supply a crafted, encrypted AuthorizationCookie that, after decryption, contains a malicious serialized object graph which exercises deserialization sinks and enables arbitrary object instantiation and follow-on execution.

Research and incident reports have identified multiple exploitation paths. One vector targets the GetCookie() flow, where a forged cookie is decrypted and passed directly into BinaryFormatter deserialization; a suitable gadget chain in the serialized payload can trigger remote code execution in the context of the WSUS process. A second vector leverages WSUS reporting web services (for example, ReportingWebService.asmx), where crafted SOAP requests can reach SoapFormatter deserialization sinks. Both paths are network-accessible and, when reachable, can be exercised without authentication.

Successful exploitation yields arbitrary code execution under the privileges of the WSUS service (commonly SYSTEM), which permits immediate server compromise, persistence mechanisms (web shells, scheduled tasks or services), and use of the host as a pivot for lateral movement. The vulnerability is classified as unsafe deserialization (CWE-502) and has been scored with critical severity (CVSS 9.8) due to its unauthenticated, network-accessible nature.

• The WSUS server role must be installed on the Domain Controller.
• The WSUS instance must be unpatched for CVE-2025-59287 ( KB5070881 / KB5070882 / KB5070883 not installed)

For the exploitation, we will utilize the Windows In-Browser machine provided by the Offsec platform.
The proof-of-concept implementation to be used is CVE-2025-59287-WSUS

The first step is to edit the exploit’s Parameters section to configure the attacker and target details. We will set the IP address of the listening host, the WSUS service target URL, and the local port on which we will receive the reverse shell.

# parameters
$lhost = "192.168.49.51"    # your kali netcat host
$lport = 53
$targetURL = "http://192.168.51.89:8530"  # WSUS URL

The script automates the creation and delivery of a serialized payload to a WSUS ReportingWebService endpoint to achieve remote code execution when the WSUS console processes the injected event. It obtains or fabricates required WSUS authorization cookies/IDs via multiple SOAP calls, constructs a malicious ReportEventBatch XML containing a base64-encoded serialized gadget chain (generated with ysoserial.net) that embeds a PowerShell reverse shell, and posts that event to the target service.

The reverse-shell payload will be triggered when an administrator opens the WSUS management console.

Try Hands-On
You can try exploiting these vulnerabilities in a controlled environment via the OffSec Offensive Cyber Range lab for CVE-2025-59287 

• Update WSUS and Windows Server immediately with Microsoft’s October 23, 2025 out-of-band security update.
• If WSUS is not essential, disable the WSUS Server role until fully patched.
• Restrict WSUS network access — block or filter inbound connections to management ports (TCP 8530 and 8531) allowing only trusted subnets, and apply outbound (egress) filtering to prevent callbacks, payload downloads, or reverse shell connections.

• NVD Entry for CVE-2025-59287
• CVE Details for CVE-2025-59287
• Microsoft KB Article for CVE-2025-59287 (KB5070882)
• MSRC Advisory for CVE-2025-59287
• CISA KEV Advisory for CVE-2025-59287
• Unit42 Technical Writeup for CVE-2025-59287
• Huntress Exploitation Report for CVE-2025-59287
• Rapid7 Analysis for CVE-2025-59287
• PoC / Technical writeup: WSUS AuthorizationCookie Deserialization (HawkTrace)
• PoC repository: CVE-2025-59287-WSUS (tecxx GitHub)