Microsoft released urgent updates to address the critical WSUS RCE vulnerability CVE-2025-59287, which is under active attack..
Microsoft released an out-of-band fix for CVE-2025-59287, a critical WSUS RCE flaw (CVSS 9.8) that is under active exploitation. Researchers MEOW and Markus Wulftange of CODE WHITE GmbH reported the vulnerability.
“To comprehensively address CVE-2025-59287, Microsoft has released an out of band security update for the following supported versions of Windows Server: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022, 23H2 Edition (Server Core installation), and Windows Server 2025. Note that a reboot will be required after you install the updates.” reads the update published by Microsoft.
The flaw is a deserialization of untrusted data in Windows Server Update Service that allows an unauthorized attacker to execute code over a network.
Remote, unauthenticated attackers can trigger unsafe deserialization of AuthorizationCookie objects in the GetCookie() endpoint, leading to RCE with SYSTEM privileges. The issue stems from insecure BinaryFormatter use, which Microsoft deprecated and removed from .NET 9 in 2024 due to inherent security risks.
This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities catalog.
Hawktrace researchers published a PoC for this vulnerability.
“The vulnerability allows an unauthenticated attacker to achieve remote code execution with SYSTEM privileges by sending malicious encrypted cookies to the GetCookie() endpoint.” states Hawktrace. “Permanent mitigation requires replacing BinaryFormatter with secure serialization mechanisms, implementing strict type validation, and enforcing proper input sanitization on all cookie data.”
The Dutch NCSC also confirmed attacks in the wild exploiting the vulnerability CVE-2025-59287 on October 24, 2025. Researchers from Eye Security reported a Base64 .NET payload at 06:55 UTC that reads the ‘aaaa’ request header and runs it via cmd.exe to hide commands from logs.
“stute readers may recognize the base64 encoding. Decoding it revealed a ysoserial.net gadget chain (probably the ActivitySurrogateSelector gadget), with an embedded PE file. This was very different from the POC by hawktrace and shows that the threat actor had capabilities beyond that of a script kiddie…” reads the analysis by Eye Security.
Cybersecurity firm Huntress detected attackers probing exposed WSUS endpoints (ports 8530/8531) from 2025-10-23 23:34 UTC, sending crafted POSTs that triggered a deserialization RCE. The exploit spawned cmd.exe and PowerShell, downloaded a Base64 PowerShell payload to enumerate systems and exfiltrate data to a webhook.site URL. Huntress says exploitation may be limited because WSUS isn’t often publicly exposed; Microsoft re-released the patch, and the latest updates protect affected customers.
“Attackers leveraged exposed WSUS endpoints to send specially crafted requests (multiple POST calls to WSUS web services) that triggered a deserialization RCE against the update service.” reads the analysis published by Huntress. “Exploitation activity included spawning Command Prompt and PowerShell via the HTTP worker process and WSUS service binary”
Huntress also published Indicators of Compromise for this vulnerability.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CVE-2025-59287)
