Microsoft disclosed a critical **remote code execution (RCE) vulnerability (CVE-2025-59287, CVSS 9.8)** in its **Windows Server Update Service (WSUS)**, actively exploited in the wild since at least **October 24, 2025**. The flaw stems from **unsafe deserialization of untrusted data** in WSUS’s `GetCookie()` endpoint, where malicious `AuthorizationCookie` objects—decrypted via **AES-128-CBC** and deserialized using the deprecated **BinaryFormatter**—enable attackers to execute arbitrary code with **SYSTEM privileges** on vulnerable servers. Exploitation involves sending a crafted event to trigger deserialization, bypassing authentication.A **proof-of-concept (PoC) exploit** was publicly released, accelerating attacks. Observed payloads include a **.NET executable** that fetches commands from an HTTP header (`aaaa`) and executes them via `cmd.exe`, evading logs. The **Dutch NCSC** and **Eye Security** confirmed in-the-wild abuse, with attackers dropping Base64-encoded malware on an unnamed victim. Microsoft issued an **out-of-band patch** for affected Windows Server versions (2012–2025) and recommended **disabling WSUS** or **blocking ports 8530/8531** as mitigations. **CISA added the flaw to its KEV catalog**, mandating federal agencies to patch by **November 14, 2025**.The vulnerability poses severe risks: **unauthenticated remote takeover of WSUS servers**, potential **lateral movement within enterprise networks**, and **supply-chain attacks** via compromised update mechanisms. Organizations failing to patch risk **full system compromise**, **data breaches**, or **operational disruption** if WSUS is used for internal updates.
Source: https://thehackernews.com/2025/10/microsoft-issues-emergency-patch-for.html
TPRM report: https://www.rankiteo.com/company/microsoft
"id": "mic0392103102425",
"linkid": "microsoft",
"type": "Vulnerability",
"date": "6/2012",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'industry': 'Software Development',
'location': 'Redmond, Washington, USA',
'name': 'Microsoft',
'size': 'Large Enterprise',
'type': 'Technology Corporation'}],
'attack_vector': ['Network',
'Deserialization of Untrusted Data',
'Crafted Event to GetCookie() Endpoint'],
'customer_advisories': ['Microsoft customers using WSUS-enabled servers',
'Organizations relying on Windows Server updates'],
'data_breach': {'data_encryption': ['AES-128-CBC used for cookie data '
'(vulnerable to deserialization attack)']},
'date_detected': '2025-10-24T06:55:00Z',
'date_publicly_disclosed': '2025-10-24',
'description': 'Microsoft released out-of-band security updates to patch a '
'critical-severity Windows Server Update Service (WSUS) '
'vulnerability (CVE-2025-59287, CVSS score: 9.8) with a '
'proof-of-concept (PoC) exploit publicly available and '
'actively exploited in the wild. The flaw stems from unsafe '
'deserialization of untrusted data in WSUS, allowing '
'unauthorized remote code execution with SYSTEM privileges. '
'The vulnerability was originally fixed in Patch Tuesday but '
'required an out-of-band update due to active exploitation. '
'Exploitation involves sending a crafted event to the '
'GetCookie() endpoint, where encrypted cookie data is '
'decrypted and deserialized via BinaryFormatter without proper '
'type validation. A .NET executable payload was observed being '
'dropped via the vulnerability, executing commands from a '
'request header to evade logging.',
'impact': {'brand_reputation_impact': ['Potential reputational damage due to '
'exploitation of critical '
'vulnerability'],
'operational_impact': ['Potential full system compromise with '
'SYSTEM privileges',
'Arbitrary command execution'],
'systems_affected': ['Windows Servers with WSUS role enabled']},
'initial_access_broker': {'entry_point': ['WSUS GetCookie() endpoint via '
'crafted event',
'Ports 8530/8531'],
'high_value_targets': ['Windows Servers with WSUS '
'role enabled']},
'investigation_status': 'Ongoing (active exploitation confirmed; developing '
'story)',
'lessons_learned': ['Avoid using BinaryFormatter for deserialization with '
'untrusted input (previously recommended by Microsoft).',
'Legacy serialization mechanisms can introduce critical '
'vulnerabilities if not properly validated.',
'Out-of-band patches may be necessary for actively '
'exploited vulnerabilities even after Patch Tuesday '
'fixes.',
'Port blocking and role disabling can serve as effective '
'temporary mitigations.'],
'post_incident_analysis': {'corrective_actions': ['Release of out-of-band '
'patch to validate '
'deserialization in WSUS.',
'Removal of BinaryFormatter '
'from .NET 9 (proactive '
'measure).',
'Public disclosure of '
'exploitation risks to '
'prompt patching.'],
'root_causes': ['Use of unsafe BinaryFormatter for '
'deserialization in legacy WSUS '
'code.',
'Lack of proper type validation '
'during deserialization of '
'AuthorizationCookie objects.',
'Inherent risks in AES-128-CBC '
'decryption followed by '
'unvalidated deserialization.']},
'recommendations': ['Apply the out-of-band security update immediately for '
'all affected Windows Server versions.',
'Reboot systems after patching to ensure updates take '
'effect.',
'Disable the WSUS server role if not required.',
'Block inbound traffic to ports 8530 and 8531 until '
'patches are applied.',
'Monitor for suspicious .NET executable payloads or '
"commands executed via request headers (e.g., 'aaaa' "
'header).',
'Avoid using BinaryFormatter in custom applications; '
'migrate to safer serialization methods.',
'Review logs for signs of exploitation, such as '
'unexpected cmd.exe processes spawned from WSUS '
'services.'],
'references': [{'date_accessed': '2025-10-24',
'source': 'Microsoft Security Update Guide',
'url': 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287'},
{'date_accessed': '2025-10-24',
'source': 'The Hacker News - CVE-2025-59287 Exploitation '
'Report',
'url': 'https://thehackernews.com/2025/10/critical-windows-wsus-flaw-under-active.html'},
{'date_accessed': '2025-10-24',
'source': 'CISA Known Exploited Vulnerabilities Catalog',
'url': 'https://www.cisa.gov/known-exploited-vulnerabilities-catalog'},
{'date_accessed': '2025-10-22',
'source': 'HawkTrace Research (Batuhan Er) - Technical '
'Analysis'},
{'date_accessed': '2025-10-24',
'source': 'Dutch National Cyber Security Centre (NCSC) '
'Advisory',
'url': 'https://www.ncsc.nl/actueel/nieuws/2025/october/24/cve-2025-59287-wsus-exploitation'}],
'regulatory_compliance': {'regulatory_notifications': ['Added to CISA Known '
'Exploited '
'Vulnerabilities (KEV) '
'catalog (remediation '
'deadline: '
'2025-11-14)']},
'response': {'communication_strategy': ['Public advisory via Microsoft '
'Security Update Guide',
'Collaboration with CISA for KEV '
'catalog inclusion',
'Media updates via The Hacker News'],
'containment_measures': ['Out-of-band security patch release',
'System reboot required post-patch',
'Disabling WSUS Server Role (if '
'enabled)',
'Blocking inbound traffic to Ports 8530 '
'and 8531 on host firewall'],
'incident_response_plan_activated': True,
'remediation_measures': ['Patch application (KB updates for '
'affected Windows Server versions)',
'Removal of BinaryFormatter from .NET 9 '
'(August 2024)'],
'third_party_assistance': ['Security Researchers (MEOW, '
'f7d8c52bec79e42795cf15888b85cbad, '
'Markus Wulftange with CODE WHITE '
'GmbH)',
'HawkTrace (Batuhan Er)',
'Eye Security',
'Dutch National Cyber Security Centre '
'(NCSC)']},
'stakeholder_advisories': ['Federal agencies (via CISA KEV catalog)',
'Enterprise Windows Server administrators',
'Security researchers'],
'title': 'Critical Remote Code Execution Vulnerability in Windows Server '
'Update Service (WSUS) - CVE-2025-59287',
'type': ['Vulnerability Exploitation',
'Remote Code Execution (RCE)',
'Unauthenticated Attack'],
'vulnerability_exploited': {'affected_software': ['Windows Server 2012',
'Windows Server 2012 R2',
'Windows Server 2016',
'Windows Server 2019',
'Windows Server 2022',
'Windows Server 2022 23H2 '
'Edition (Server Core '
'installation)',
'Windows Server 2025'],
'cve_id': 'CVE-2025-59287',
'cvss_score': 9.8,
'description': 'Remote code execution flaw in '
'WSUS due to unsafe '
'deserialization of '
'AuthorizationCookie objects via '
'BinaryFormatter in the '
'GetCookie() endpoint. Encrypted '
'cookie data is decrypted using '
'AES-128-CBC and deserialized '
'without proper type validation.',
'prerequisite': 'WSUS server role must be enabled '
'on the target system.'}}