A proof-of-concept (PoC) exploit has emerged for a critical vulnerability in Microsoft’s Windows Server Update Services (WSUS), allowing unauthenticated attackers to execute remote code with SYSTEM privileges on affected servers. This vulnerability, identified as CVE-2025-59287, has been assigned a CVSS v3.1 score of 9.8, indicating its severity. The issue arises from unsafe deserialization of untrusted data in WSUS’s handling of AuthorizationCookies.
Disclosed during Microsoft’s October 2025 Patch Tuesday, this vulnerability presents significant risks to enterprise update infrastructures, with the potential for widespread compromise. WSUS serves as a crucial server role in Windows Server, aiding IT administrators in deploying Microsoft updates across networks to ensure systems remain patched and secure.
Despite being deprecated for new features, WSUS continues to be widely utilized in production environments and receives ongoing security support. The vulnerability impacts all supported Windows Server versions from 2012 to 2025, where the GetCookie() endpoint processes encrypted AuthorizationCookie objects without sufficient validation.
At the heart of CVE-2025-59287 is a deserialization issue within the EncryptionHelper.DecryptData() method. Incoming cookie data, encrypted using AES-128-CBC, is decrypted and subsequently passed directly to .NET’s BinaryFormatter for deserialization. This legacy serializer lacks type restrictions, enabling attackers to craft malicious payloads that can trigger arbitrary code execution during processing. Microsoft has classified the flaw as “Exploitation More Likely,” underscoring its wormable potential across networked WSUS servers.
The Attack Flow and PoC
The exploit initiates with an unauthenticated HTTP POST request directed at the WSUS ClientWebService endpoint on port 8530. Attackers transmit a SOAP envelope containing a manipulated AuthorizationCookie, featuring a PlugInId of “SimpleTargeting” along with encrypted payload data. The server decrypts the cookie using a hardcoded key (“877C14E433638145AD21BD0C17393071”), removes the IV block, and deserializes the result via BinaryFormatter.
A publicly available PoC, shared by researcher “hawktrace” on GitHub, illustrates payload generation in C#. It serializes a malicious delegate designed to launch “calc.exe” or similar commands, encrypts it without padding, and produces a Base64-encoded string for the SOAP request. The trace outlines the call chain from Client.GetCookie() through AuthorizationManager to DecryptData(), where deserialization occurs under SYSTEM context. The lack of required user interaction renders this vulnerability particularly perilous for exposed WSUS instances.
This remote code execution (RCE) could facilitate supply-chain attacks, wherein compromised WSUS servers distribute malicious updates to clients. Although no active exploits in the wild have been reported, the availability of the PoC heightens the urgency for organizations to apply patches promptly.
Microsoft acknowledges researcher “MEOW” for the discovery and strongly advises the immediate application of the October 2025 security updates through Windows Update or WSUS. Organizations are encouraged to isolate WSUS servers, implement firewalls to restrict access, and monitor for unusual SOAP traffic. In the long term, Microsoft recommends transitioning away from BinaryFormatter to more secure alternatives such as JSON or XML serializers with stringent validation.
As WSUS is integral to critical update mechanisms, any delay in patching could expose networks to significant breaches, particularly in an environment increasingly threatened by ransomware and nation-state actors.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
