Unauthenticated RCE in WSUS Puts Organizations at Risk

Microsoft issued an out-of-band patch for a critical remote code execution (RCE) flaw, CVE-2025-59287, in the Windows Server Update Services (WSUS) role. 

The vulnerability allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges on affected Windows Server versions, including 2012, 2012 R2, 2016, 2019, 2022, and 2025. 

Microsoft stated in its advisory that “Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.”

From Patch Management to Pivot Point

Windows Server Update Services (WSUS) is a cornerstone of enterprise patch management, enabling organizations to centrally distribute Microsoft updates across endpoints instead of relying on direct internet connections. 

Because WSUS servers run with high privileges and manage updates for all systems, compromising one server can give attackers organization-wide control through this trusted patching channel.

According to Palo Alto Networks researchers, exploitation of CVE-2025-59287 has already been observed targeting WSUS instances exposed to the internet on default ports 8530 (HTTP) and 8531 (HTTPS).

These attacks underscore how critical internal management infrastructure can become an initial entry point for lateral movement if not properly segmented.

Inside the Deserialization Flaw

At the heart of CVE-2025-59287 is an unsafe deserialization flaw within WSUS’s Authorization.EncryptionHelper.DecryptData() method. 

When the service receives an AuthorizationCookie object from a client, it decrypts and deserializes the data using the insecure .NET BinaryFormatter without enforcing strict type validation. 

This allows attackers to craft a malicious gadget chain payload — commonly generated using tools such as ysoserial[.]net — that triggers arbitrary command execution once deserialized.

An unauthenticated adversary can send a specially crafted SOAP request to the /ClientWebService/Client.asmx endpoint, invoking the GetCookie method. 

The payload, encrypted with the hardcoded AES-128-CBC key used by WSUS, is injected into the CookieData field. 

Once decrypted, the BinaryFormatter.Deserialize() call executes the attacker’s payload under the WSUS service context — commonly SYSTEM, providing full local privilege.

Observed exploitation chains reveal the following process sequence:

wsusservice.exe → cmd.exe → cmd.exe → powershell.exe

w3wp.exe → cmd.exe → cmd.exe → powershell.exe

Attackers have used these processes to execute encoded PowerShell commands for reconnaissance, such as whoami, net user /domain, and ipconfig /all, and then exfiltrated results using curl.exe or Invoke-WebRequest to remote servers.

Reduce Your WSUS Attack Surface

To defend against active exploitation of CVE-2025-59287, organizations should act quickly to secure their WSUS environments. 

The following mitigation steps combine immediate patching with network, configuration, and monitoring controls designed to reduce attack surface and limit potential impact if compromise occurs.

• Apply Microsoft’s patch: Deploy the latest WSUS security update and verify installation across all affected servers.
• Restrict WSUS network access: Limit ports 8530/8531 to internal clients and management hosts and block all public internet access.
• Enforce HTTPS-only communication: Require encrypted connections (port 8531) to prevent interception or tampering.
• Harden server and account permissions: Apply least privilege, audit admin roles, and isolate WSUS from domain controllers or other critical systems.
• Enable application allowlisting and logging: Use AppLocker or WDAC to restrict code execution and forward detailed WSUS/IIS logs to a centralized SIEM.
• Monitor for indicators of compromise (IoCs): Hunt for unusual SOAP requests, unexpected activity from wsusservice.exe or PowerShell, and suspicious outbound traffic. 

By implementing these measures, organizations can reduce their exposure to unauthenticated remote code execution attacks targeting WSUS and build cyber resilience.

CVE-2025-59287 underscores the enduring dangers of unsafe deserialization (CWE-502) and the impact of flaws in privileged infrastructure. 

As organizations increasingly depend on automation and centralized management tools, vulnerabilities in platforms like WSUS, SCCM, and Intune can quickly escalate into full-domain compromises. 

The rapid weaponization of this exploit — just days after disclosure — demonstrates how threat actors now target patch management systems as both entry points and attack amplifiers. 

As attacks increasingly exploit trusted systems from within, adopting a zero-trust architecture becomes critical to ensuring every connection and request is verified.