CVE-2025-59287

What is Windows Server Update Services?

Windows Server Update Services (WSUS) is Microsoft's enterprise patch management system, allowing organizations to centrally manage and deploy Windows updates across their environment. WSUS servers typically have broad network access to all managed clients, are trusted by every client endpoint, and run with SYSTEM-level privileges. These properties make WSUS an extraordinarily valuable target: an attacker who compromises a WSUS server gains a trusted position in the update delivery chain with access to every managed Windows machine in the organization. WSUS operates on TCP ports 8530 (HTTP) and 8531 (HTTPS) by default.

Overview

CVE-2025-59287 is a critical .NET deserialization vulnerability (CWE-502) in WSUS's reporting web services. WSUS's GetCookie endpoint at /ClientWebService/Client.asmx uses .NET's BinaryFormatter to deserialize an AuthorizationCookie parameter in SOAP requests. By sending a specially crafted SOAP request containing a malicious serialized .NET gadget chain, an unauthenticated network attacker achieves arbitrary code execution with SYSTEM privileges on the WSUS server — no authentication required. Mass exploitation began at least one day before Microsoft's out-of-band patch, with the newly identified threat cluster UNC6512 and multiple simultaneous adversaries confirmed exploiting the vulnerability.

Affected Versions

Only systems with the WSUS Server Role installed are vulnerable. Client systems (endpoints) are not directly vulnerable.

Technical Details

The vulnerability (CWE-502: Deserialization of Untrusted Data) is in WSUS's reporting web service (/ClientWebService/Client.asmx). The GetCookie SOAP operation accepts an AuthorizationCookie parameter and passes it to .NET's BinaryFormatter.Deserialize() without validation. BinaryFormatter is inherently unsafe for untrusted data — it executes type constructors and methods during deserialization, enabling "gadget chain" exploits.

By crafting a SOAP request containing a malicious .NET gadget chain (objects whose deserialization triggers OS command execution), an attacker achieves code execution as SYSTEM — the Windows service account for WSUS. The attack works over default WSUS ports (8530/TCP HTTP, 8531/TCP HTTPS). No authentication is required.

Post-exploitation observed in the wild: PowerShell execution via the WSUS/IIS worker process, deployment of Velociraptor (a legitimate DFIR tool repurposed as a C2 tunnel), and delivery of Skuld Stealer (an open-source infostealer targeting cryptocurrency wallets, browser saved credentials, system information, and Discord/Telegram session tokens).

Discovery

Eye Security (Netherlands) identified the first successful exploit attempts and reported them to NCSC-NL on 24 October 2025. Hawktrace and Horizon3.ai published independent PoC research. Google Threat Intelligence Group tracked the newly identified threat cluster UNC6512 exploiting this vulnerability.

Exploitation Context

Mass exploitation began at approximately 23:34 UTC on 23 October 2025 — the day before Microsoft's emergency patch. At least two distinct adversaries were observed exploiting CVE-2025-59287 simultaneously, indicating multiple threat actors had independently developed working exploits. UNC6512 (newly identified by Google GTIG) is linked to exploitation across multiple victim organizations. The sophistication of observed exploitation — including the repurposing of the legitimate Velociraptor DFIR tool as a C2 tunnel — indicates a high-capability actor, likely either a state-affiliated group or a sophisticated ransomware operator. CISA added CVE-2025-59287 to the KEV catalog on 24 October 2025 with a 7-day federal deadline (31 October 2025).

Remediation

1. Apply Microsoft's October 24, 2025 out-of-band patch to all WSUS servers immediately — do not wait for the next Patch Tuesday.
2. Restrict WSUS port access (8530/8531 TCP) at the network firewall — WSUS clients connect on these ports, but access from non-managed networks should be blocked. Internet-accessible WSUS is never appropriate.
3. Check for compromise indicators: examine IIS/WSUS logs for unexpected SOAP requests to /ClientWebService/Client.asmx?GetCookie from non-managed IP addresses; look for unexpected PowerShell child processes under the WSUS IIS worker process.
4. Scan for Velociraptor or Skuld Stealer on WSUS servers and downstream managed systems — both are documented post-exploitation payloads in this campaign.
5. Rotate all credentials accessible from the WSUS server: service accounts, domain admin credentials used for WSUS administration, and any secrets in WSUS configuration.
6. Consider migrating from WSUS to Microsoft Intune or Windows Autopatch for modern patch management — WSUS is a legacy product with a historically poor security track record.
7. Review managed endpoints: given WSUS's trusted position in the update chain, verify that no rogue updates or packages were pushed to managed clients while the server was potentially compromised.