Unauthenticated RCE Flaw in WSUS Under Active Exploitation

Published Date: October 27, 2025

Category: ShadowOpsIntel

On October 23, 2025, Microsoft released out-of-band security update to patch an actively exploited vulnerability in Windows Server Update Services (WSUS) identified as CVE-2025-59287. The vulnerability allows unauthenticated remote code execution via a crafted SOAP request to the WSUS ClientWebService endpoint. Adversaries are leveraging this to gain remote shell access to WSUS servers exposed to the internet, likely as an initial access method for further intrusions, including potential ransomware attacks.

Severity: Critical

Vulnerability: CVE-2025-59287

Component Affected: Microsoft Windows Server Update Services (WSUS)
Vulnerability Type: .NET Deserialization leading to Remote Code Execution (RCE)
CVSS Score: 9.8
Attack Vector: Unauthenticated http(s) request to https://:8531/ClientWebService/ client.asmx
Root Cause: Insecure deserialization in Microsoft.UpdateServices.Internal.SoapUtilities. Deserialize during SOAP payload processing.

Exploitation Chain

Initial Access
- Attacker sends a malicious SOAP request to the WSUS server’s client web service using ports 8530 (HTTP) or 8531 (HTTPS).
- The request contains a base64-encoded serialized .NET object crafted using ysoserial[.]net with a gadget chain (ActivitySurrogateSelector).
Execution
- The payload is deserialized within WSUS, triggering execution of a .NET PE executable embedded in the SOAP body.
- The embedded binary calls cmd.exe using the value from a custom HTTP header (aaaa) as the command: StartInfo.Arguments = “/c ” + header;
Command & Control
- Command output is captured and written to the HTTP response.
- Manual command execution observed, indicating hands-on-keyboard activity (e.g., whoami executed via w3wp.exe).

Indicators of Exploitation

Review logs at: %ProgramFiles%\Update Services\LogFiles\SoftwareDistribution.log
Look for stacktrace containing:
- SoapUtilities.CreateException ThrowException: actor = https://:8531/ClientWebService/client.asmx
- Microsoft.UpdateServices.Internal.SoapUtilities.Deserialize
- Base64 markers: AAEAAAD/////AQAAAAAAAAAEAQAAAH9

Internet Exposure

~8,000 WSUS servers were identified as exposed to the internet via Shodan and Fofa scans.
Public exposure is not recommended – WSUS is generally intended for internal use only.

Recommendations

Microsoft recommends Windows Server customers to install the out-of-band update released on October 23, 2025, immediately. After you install the update you will need to reboot your system.
NOTE: The WSUS Server Role is not enabled by default on Windows servers. Windows servers that do not have the WSUS server role enabled are not vulnerable to this vulnerability. If the WSUS server role is enabled, the server will become vulnerable if the fix is not installed before the WSUS server role is enabled.
For Windows Server 2019 – OS Build 17763.7922, OOB patch KB5070883 should be applied. Ensure the August 2021 SSU (KB5005112) is installed before deploying this patch.
Workarounds:
 If the WSUS Server Role is enabled on your server, disable it. Note that clients will no longer receive updates from the server if WSUS is disabled.
 Block inbound traffic to Ports 8530 and 8531 on the host firewall (as opposed to blocking only at the network/perimeter firewall) to render WSUS non-operational.
NOTE: Do NOT undo either of these workarounds until you have installed the update.
Tune your EDR to monitor for suspicious child processes of w3wp.exe (e.g., cmd.exe, powershell.exe).
Block the IOCs at their respective controls
https://www.virustotal.com/gui/collection/f9c3d13b0da76971319fe0936ba42749d7cc3ae1afac445344b3449c6e286ea6/iocs

Source:

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.