Security researchers released a proof-of-concept for CVE-2025-59287, an unauthenticated remote code execution vulnerability in Windows Server Update Services (WSUS). The flaw stems from unsafe deserialization inside WSUS’ cookie handling, which attackers can weaponize to run arbitrary code as SYSTEM on affected servers.
How the Vulnerability Works
The vulnerable code deserializes AuthorizationCookie objects returned to the GetCookie() endpoint without verifying allowed types. An attacker crafts encrypted payloads that WSUS decrypts and then passes to .NET’s BinaryFormatter, enabling arbitrary object instantiation and code execution when exploit payloads include malicious gadget chains. In short, an attacker can remotely trigger deserialization of attacker-controlled data and gain full control of the server process.
Severity and Exploitation Likelihood
Microsoft and vulnerability trackers assigned CVE-2025-59287 a critical severity with a CVSS v3.1 score near 9.8 and flagged the issue as “exploitation more likely.” Given the unauthenticated attack surface and the PoC publication, threat actors can weaponize this bug for rapid server compromise and lateral movement. Administrators should treat this as an immediate remediation priority.
Affected Versions and Patch Status
WSUS builds running on supported Windows Server versions (2012 through 2025 releases where WSUS remains in use) received vendor fixes in Microsoft’s October 2025 Patch Tuesday release. Microsoft published an advisory and pushed updates; operators must ensure their WSUS hosts apply the vendor-supplied update promptly through tested deployment channels.
Proof-of-Concept Details and Risk from PoC Release
Research groups posted a PoC demonstrating how to craft the malicious AuthorizationCookie and trigger deserialization through GetCookie(). The public availability of exploit code lowers the bar for opportunistic attackers and script kiddies, increasing the likelihood of noisy, fast exploitation campaigns targeting exposed WSUS endpoints. Organizations that expose WSUS management interfaces to untrusted networks face the highest risk.
Immediate Mitigations
First, apply Microsoft’s official patch to WSUS servers immediately. Second, temporarily isolate WSUS management interfaces from untrusted networks and restrict access via firewall rules and network ACLs. Third, implement detection for anomalous GetCookie() requests and for unexpected child processes spawned by WSUS-related services. Finally, consider taking WSUS servers offline and performing offline forensic imaging if you suspect compromise.
Detection and Hunting Guidance
Monitor WSUS logs for unusual AuthorizationCookie traffic and repeated decryption failures. Hunt for abnormal process creation under the WSUS service account and for outbound connections to unknown infrastructure after patch application.
Where possible, search historical telemetry for patterns matching the PoC’s request fingerprint to identify pre-patch exploitation. Deploy IDS/IPS signatures that vendors released for CVE-2025-59287 to catch exploit attempts at the network perimeter.
Beyond immediate patching and containment, administrators should reduce WSUS attack surface: limit external access, enforce least privilege for WSUS service accounts, enable strict input validation on any custom integrations, and migrate to centralized update management solutions where WSUS sits behind additional control planes.
Also, plan regular review cycles for any component that performs deserialization and prefer safe serializers or explicit type whitelisting.
Operational Impact
If exploited, CVE-2025-59287 can let attackers run code as SYSTEM on update servers that control patch distribution. Attackers could manipulate update metadata or push malicious payloads downstream, complicating recovery and expanding the blast radius. Therefore, operators must treat WSUS servers as high-value assets and prioritize recovery playbooks that include reimaging and cryptographic validation of update packages.
Recommendations for SOCs and IR Teams
-
Prioritize patch rollouts to WSUS hosts and verify patch success via management telemetry.
-
Block or restrict public access to WSUS ports.
-
Enable detailed logging and forward WSUS logs to your SIEM for correlation.
-
Run targeted threat hunts for GetCookie() exploitation fingerprints in historical logs.
-
If you detect exploitation, isolate the host and treat the incident as a full compromise — conduct a full forensic investigation and assume attacker persistence. Microsoft Security Response Center+1
