A proof-of-concept (PoC) exploit has been released for a critical vulnerability in Microsoft’s Windows Server Update Services (WSUS), enabling unauthenticated attackers to execute remote code with SYSTEM privileges on affected servers.
Dubbed CVE-2025-59287 and assigned a CVSS v3.1 score of 9.8, the flaw stems from unsafe deserialization of untrusted data in WSUS’s AuthorizationCookie handling.
Disclosed as part of Microsoft’s October 2025 Patch Tuesday, this vulnerability poses severe risks to enterprise update infrastructures, potentially allowing widespread compromise.
WSUS is a server role in Windows Server that helps IT administrators deploy Microsoft updates across networks, ensuring systems remain patched and secure.
Despite being deprecated for new features, WSUS remains widely used in production environments and receives ongoing security support.
The vulnerability affects all supported Windows Server versions from 2012 to 2025, where the GetCookie() endpoint processes encrypted AuthorizationCookie objects without adequate validation.
At its core, CVE-2025-59287 exploits a deserialization issue in the EncryptionHelper.DecryptData() method. Incoming cookie data, encrypted with AES-128-CBC, is decrypted and then passed directly to .NET’s BinaryFormatter for deserialization.
This legacy serializer lacks type restrictions, allowing attackers to craft malicious payloads that trigger arbitrary code execution upon processing. Microsoft classified the flaw as “Exploitation More Likely,” highlighting its wormable potential across networked WSUS servers.
The Attack Flow and PoC
The exploit begins with an unauthenticated HTTP POST request to the WSUS ClientWebService endpoint on port 8530. Attackers send a SOAP envelope containing a tampered AuthorizationCookie with a PlugInId of “SimpleTargeting” and encrypted payload data.
The server decrypts the cookie using a hardcoded key (“877C14E433638145AD21BD0C17393071”), strips the IV block, and deserializes the result via BinaryFormatter.
A publicly available PoC, shared by researcher “hawktrace” on GitHub, demonstrates payload generation in C#. It serializes a malicious delegate to launch “calc.exe” or similar commands, encrypts it without padding, and outputs a Base64-encoded string for the SOAP request.
The trace reveals the call chain from Client.GetCookie() through AuthorizationManager to DecryptData(), where the deserialization occurs under SYSTEM context. No user interaction is needed, making it highly dangerous for exposed WSUS instances.
This RCE could enable supply-chain attacks, where compromised WSUS servers distribute malicious updates to clients. While no active exploits in the wild have been reported, the PoC’s availability increases the urgency for patching.
Microsoft credits researcher “MEOW” for the discovery and urges immediate application of the October 2025 security updates via Windows Update or WSUS itself.
Organizations should isolate WSUS servers, enable firewalls to restrict access, and monitor for anomalous SOAP traffic. Long-term, Microsoft recommends migrating away from BinaryFormatter to safer alternatives like JSON or XML serializers with strict validation.
As WSUS underpins critical update mechanisms, delaying patches risks broad network breaches in an era of escalating ransomware and nation-state threats.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
