CVE-2025-59287 - Exploiting WSUS Deserialization of Untrusted Data for Remote Code Execution

---

Overview

A critical new vulnerability, CVE-2025-59287, has rocked system administrators: via deserialization of untrusted data in Windows Server Update Services (WSUS), attackers can execute arbitrary code remotely—with no authentication required. If you run WSUS on your Windows servers, your network could be wide open. Let’s look at what happened, how it works, and what you can do.

What is Deserialization?

Deserialization happens when software reads data (like objects or settings) stored in formats such as binary, XML, or JSON, and then converts that data back into objects the program can use. If an attacker controls the input, they could slip in their own dangerous objects, which get “deserialized” and run as real code—often with high privileges.

How CVE-2025-59287 Works

WSUS uses serialized data for syncing updates and system information between servers and clients. According to original advisories and ongoing research on GitHub, Microsoft missed input validation in portions of WSUS’s update handling. When a client (even an unauthorized one) sends a crafted update payload, WSUS blindly deserializes the data, giving attackers a way to inject malicious objects.

The key exploitation steps

1. Attacker crafts a poisoned serialized object using .NET or Java serialization, embedding code to run a command or open a shell.
2. Attacker sends the payload to a vulnerable WSUS endpoint, often via UDP or HTTP, targeting network-exposed APIs.
3. WSUS reads and deserializes the malicious object, executing the included code with SYSTEM or Network Service privileges.

Let’s look at a simplified C# example, which is similar to how WSUS handles payloads internally

public object GetUpdatePayload(byte[] bytes)
{
    var formatter = new BinaryFormatter();
    using (var ms = new MemoryStream(bytes))
    {
        // Dangerous: deserializing untrusted data!
        return formatter.Deserialize(ms);
    }
}

Here, if the bytes argument comes from a network request, anything can be deserialized and executed.

Proof of Concept: Exploiting the Flaw

Security researchers have posted working proof-of-concept (PoC) exploits. Here’s a simplified demonstration using ysoserial.net, a well-known tool to create exploit payloads on .NET systems:

`bash

ysoserial.exe -f BinaryFormatter -g TypeConfuseDelegate -o raw -c "cmd.exe /c calc.exe" > exploit.bin

Replace with target WSUS URL

url = "http://wsus-victim.local:853/ClientWebService/Client.asmx"
headers = {"Content-Type": "application/octet-stream"}

Mitigation Steps

* Patch Immediately: Microsoft has released a fix—update your WSUS server without delay. See official patch bulletin.
* Block Network Access to WSUS: Restrict access to WSUS management and APIs to trusted hosts only.
* Monitor for Suspicious Activity: Watch for unexpected outbound connections or processes running under the WSUS service account.
* Audit and Harden Deserialization: Disable legacy serialization where possible, or use secure serializers like System.Text.Json.

References and Further Reading

- Microsoft Security Response Center (MSRC): CVE-2025-59287
- Guide: Preventing Deserialization Attacks
- ysoserial.net Serialization Attack Tool
- Original CVE Announcement (NVD)

Summary

CVE-2025-59287 is a stark reminder: deserialization is powerful, but very dangerous if not restricted. Attackers exploiting this bug in WSUS can easily take over servers across the network. Patch, restrict access, and audit your code for insecure serializers—before someone else does.

Timeline

Published on: 10/14/2025 17:16:11 UTC
Last modified on: 12/11/2025 19:36:36 UTC