{"id":670,"date":"2025-10-27T11:32:28","date_gmt":"2025-10-27T06:02:28","guid":{"rendered":"https:\/\/www.securis360.com\/blog\/?p=670"},"modified":"2026-02-18T13:43:33","modified_gmt":"2026-02-18T13:43:33","slug":"critical-wsus-vulnerability-actively-exploited-in-the-the-wild","status":"publish","type":"post","link":"https:\/\/securis360.com\/blog\/critical-wsus-vulnerability-actively-exploited-in-the-the-wild\/","title":{"rendered":"Critical WSUS Vulnerability Actively Exploited in the the Wild"},"content":{"rendered":"\n

A new serious flaw in Windows Server Update Services (WSUS) \u2014 tracked as CVE-2025-59287<\/strong> \u2014 enables unauthenticated remote attackers to execute arbitrary code. Proof-of-concept (PoC) exploit code is already public<\/p>\n\n\n\n

<\/p>\n\n\n\n

What is WSUS and why this matters?<\/h3>\n\n\n\n

<\/p>\n\n\n\n

WSUS is a Windows Server role that lets IT administrators centrally manage, approve, and deploy updates for Microsoft products across their networks. It handles update distribution, metadata, update approvals, patch schedules, and client update delivery. Picus Security+2CISA+2<\/a><\/p>\n\n\n\n

<\/p>\n\n\n\n

Because WSUS is trusted in the network and often runs with high privileges, any flaw can become a major attack vector.<\/p>\n\n\n\n

Details of the vulnerability<\/h3>\n\n\n\n

<\/p>\n\n\n\n

The issue lies in how WSUS handles AuthorizationCookie<\/em> data. The service uses a legacy .NET serialization mechanism \u2014 specifically using the risky BinaryFormatter<\/code> \u2014 to deserialize data without strict type validation. This means an attacker can craft a malicious payload inside that cookie, have it decrypted and deserialized by WSUS, and gain code execution on the server with system-level privileges. Picus Security+1<\/a><\/p>\n\n\n\n

The request goes via a SOAP endpoint (e.g. \/ClientWebService\/Client.asmx<\/code>) using the method GetCookie<\/code>. The crafted cookie contains encrypted payload in CookieData<\/em>, encrypted using AES-128-CBC with a hardcoded key and predictable initialization vector (IV). Once decrypted, the payload is deserialized and executed. Picus Security+1<\/a><\/p>\n\n\n\n

Real-world exploitation<\/h3>\n\n\n\n

Security researchers observed that threat actors have begun exploiting this flaw as soon as the patch was released. Servers with WSUS enabled and ports 8530 (HTTP)<\/strong> or 8531 (HTTPS)<\/strong> open have been targeted. Huntress+2Cybersecurity Dive+2<\/a><\/p>\n\n\n\n

Attackers have exploited this to spawn command shell processes (cmd.exe<\/code> \u2192 powershell.exe<\/code>) via the WSUS services (wsusservice.exe<\/code>) or the web worker process (w3wp.exe<\/code>). They then run commands like net user \/domain<\/code> or ipconfig \/all<\/code> to enumerate systems, and exfiltrate data to remote endpoints. Huntress+2Arctic Wolf+2<\/a><\/p>\n\n\n\n

Patches and mitigations<\/h3>\n\n\n\n