Full Report
The Windows Server Update Service (WSUS) is a Microsoft tool that allows IT admins to manage updates for Windows systems. The upgrade process contains a cookie that is encrypted using AES-128-CBC. It is passed BinaryFormatter.Deserialize() from the cookie once decrypted. This is a known sink that can be used to get RCE. The API endpoint POST /ClientWebService/Client.asmx is the vulnerable endpoint. The cookie is encrypted but I don't understand how they are able to encrypt the data and then have that be decrypted and used for the deserialization attack. The PoC just has hardcoded data so maybe the key is hardcoded in the application. According to this article, this can be used to get RCE with SYSTEM privileges. Pretty dangerous bug!
Analysis Summary
# Vulnerability: WSUS Unsafe Deserialization via Encrypted Cookie
## CVE Details
- CVE ID: CVE-2025-59287
- CVSS Score: 9.8 (Critical)
- CWE: CWE-502 (Deserialization of Untrusted Data)
## Affected Systems
- Products: Microsoft Windows Server Update Services (WSUS)
- Versions: Not explicitly listed, but implied to be affected versions prior to the patch release focusing on the `GetCookie()` endpoint logic.
- Configurations: Any WSUS installation handling client update requests against the vulnerable endpoint.
## Vulnerability Description
This critical vulnerability stems from an unsafe deserialization flaw within the Windows Server Update Services (WSUS) component. An attacker can send a specially crafted **AuthorizationCookie** to the vulnerable API endpoint **POST /ClientWebService/Client.asmx (via the `GetCookie()` method)**.
The process flow is:
1. The incoming cookie data, which is encrypted using **AES-128-CBC**, is received.
2. The server component uses a (presumably hardcoded or derivable) key within `EncryptionHelper.DecryptData()` to decrypt the cookie data.
3. The decrypted data is then passed directly to `BinaryFormatter.Deserialize()` without adequate type validation.
4. Since `BinaryFormatter` is a known dangerous sink, an attacker can supply a serialized object payload that results in **Remote Code Execution (RCE)** with **SYSTEM privileges** on the WSUS server.
The core issue is trusting the data after decryption, specifically deserializing the content using `BinaryFormatter`.
## Exploitation
- Status: PoC available (Hardcoded key provided in PoC suggests a key derivation mechanism might be bypassable or standardized, or the hardcoded key matches the standard deployment key).
- Complexity: Low (Unauthenticated network access to the vulnerable endpoint is sufficient).
- Attack Vector: Network
## Impact
- Confidentiality: High (RCE allows data access)
- Integrity: High (RCE allows code execution and system modification)
- Availability: High (RCE can lead to system denial of service)
## Remediation
### Patches
- Patches are released by Microsoft addressing CVE-2025-59287. Specific patch version details for all affected server OS versions are not provided in the source but are mandatory.
### Workarounds
- The source suggests permanent mitigation requires replacing `BinaryFormatter` with secure serialization mechanisms, implementing strict type validation, and enforcing proper input sanitization on all cookie data. Until patched, strict network access controls or blocking traffic to the vulnerable endpoint (if feasible) should be considered, although this significantly impacts WSUS functionality.
## Detection
- **Indicators of Compromise (IOCs):** Look for unusual network traffic directed at the `/ClientWebService/Client.asmx` endpoint on the WSUS server, especially POST requests carrying large or suspiciously structured binary payloads within the SOAP body intended for cookie processing.
- **Detection Methods and Tools:** Web Application Firewalls (WAFs) or network intrusion detection signatures targeting the specific deserialization pattern or unusual activity following successful cookie processing attempts may be effective. Monitoring the WSUS application logs for exceptions related to `BinaryFormatter` deserialization failures could indicate attempted exploitation.
## References
- Vendor Advisory: msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
- PoC: gist.github.com/hawktrace/[redacted_hash_for_gist_link] (Note: The article mentions a PoC with a hardcoded key derived from `877C14E433638145AD21BD0C17393071`).