来源

关联漏洞

描述

CVE-2025-59287 — Critical unauthenticated RCE in Windows Server Update Services (WSUS) via unsafe deserialization of an AuthorizationCookie, enabling SYSTEM-level compromise and active exploitation; patch or isolate WSUS (ports 8530/8531) immediately.

介绍

# CVE-2025-59287 — When your patch server becomes the attack vector 🗿

**TL;DR:**
Microsoft patched a **critical unauthenticated remote code execution (RCE)** vulnerability in **Windows Server Update Services (WSUS)** that’s already being exploited in the wild. The issue stems from **unsafe deserialization** of attacker-controlled data, allowing remote SYSTEM-level compromise. This bug essentially turns your update server — the thing meant to secure your network — into a potential weapon against it. Patch immediately or isolate WSUS until you can.

![CVE_2025_69287](https://github.com/user-attachments/assets/b994d037-ccde-44b4-966d-35b28c3e3320) <br/>

---

## What happened (plain speak)

WSUS is the backbone for distributing Windows updates across many enterprise environments. It allows admins to manage, approve, and deploy updates internally — saving bandwidth and providing central control.
However, a flaw in one of WSUS’s web service endpoints made it possible for attackers to send **malicious serialized data** disguised as an `AuthorizationCookie`. When WSUS receives this crafted cookie, it tries to deserialize it without proper validation, leading to arbitrary code execution.

Attackers are using this to run code as **SYSTEM**, the highest privilege on Windows. Since WSUS servers often sit in trusted network zones and can **push updates to every client**, this flaw becomes a golden entry point. Once exploited, it could let adversaries deploy **malicious updates**, **pivot to domain controllers**, or **exfiltrate credentials**.
Microsoft released an emergency patch, and CISA added this CVE to the **Known Exploited Vulnerabilities (KEV)** list — a strong signal that threat actors are already on the move.

---

## PoC summary — what the public PoC does (safe, high level)

A proof-of-concept (PoC) quickly surfaced after the patch dropped, confirming how easy exploitation could be once the flow was understood.
In essence, the exploit:

* Crafts a **fake cookie payload** (`AuthorizationCookie`) expected by WSUS, embedding a serialized **.NET object** instead of genuine authentication data.
* Sends this blob to vulnerable ASMX endpoints such as:

  * `/SimpleAuthWebService/SimpleAuthWebService.asmx`
  * `/ReportingWebService/ReportingWebService.asmx`
* The server decrypts and **blindly deserializes** it using outdated `.NET BinaryFormatter` routines.
* The injected object’s **gadget chain** triggers execution of attacker commands — typically spawning `cmd.exe` or `powershell.exe` under **SYSTEM**.

Since the PoC is now public, opportunistic attackers are actively scanning networks for open WSUS ports. The availability of weaponized payloads makes patching non-negotiable.

---

## Why you should care (short)

1. **RCE as SYSTEM:** Attackers can fully control your update server — including the updates it distributes.
2. **Unauthenticated exploit:** No login required; a single HTTP POST is enough.
3. **Internal exposure:** WSUS runs on TCP ports 8530/8531, often reachable from large parts of corporate networks.
4. **Active exploitation:** Multiple security vendors have observed live attacks in progress. Treat this like a fire alarm, not a warning.

---

## Immediate mitigation (do this now)

1. **Patch immediately** — apply Microsoft’s out-of-band WSUS update addressing CVE-2025-59287. Verify installation via the KB number and reboot the system afterward to finalize the fix.
2. **If you can’t patch yet:**

   * **Temporarily disable WSUS** or block inbound connections to **TCP 8530** and **8531** at the host or firewall level.
   * Ensure WSUS is **not exposed to the internet** under any condition.
3. **Update your defenses:**

   * IDS/IPS vendors and vulnerability scanners like **Tenable**, **Qualys**, and **Rapid7** have released detection plugins.
   * Integrate updated signatures to flag suspicious HTTP payloads targeting WSUS ASMX endpoints.

---

## Indicators of Compromise (IoCs)

Below are IoCs and hunt queries you can plug directly into SIEM or EDR platforms to detect possible exploitation.

### Network / HTTP IoCs

* **Ports:** TCP `8530` (HTTP), TCP `8531` (HTTPS)
* **Endpoints hit:**

  * `/SimpleAuthWebService/SimpleAuthWebService.asmx`
  * `/ReportingWebService/ReportingWebService.asmx`
  * `/ClientWebService/ClientWebService.asmx`
* **Payload clues:** Unusually large **Base64 blobs** in cookies or POST bodies labeled `AuthorizationCookie`.
* **Behavioral clue:** Sudden or irregular POSTs to WSUS from unknown IPs or internal clients that typically don’t check in there.

### Host / Process IoCs

* **Suspicious process spawns:**

  * Parent: `w3wp.exe` or `wsusservice.exe`
  * Child: `cmd.exe` or `powershell.exe`
* **Command-line traits:**

  * PowerShell commands with `-EncodedCommand`, `Invoke-Expression`, or network callbacks.
* **Persistence signs:**

  * New scheduled tasks, services, or registry keys under WSUS directories with odd timestamps.

### Logs to review

* **IIS logs:** `C:\inetpub\logs\LogFiles\W3SVC*\u_ex*.log`
* **WSUS logs:** `C:\Program Files\Update Services\LogFiles\SoftwareDistribution.log`
* **Windows PowerShell logs:** Event IDs `4103`, `4104`
* **Sysmon process creation:** Event ID `1` for suspicious parent-child process chains

### Quick Splunk hunt query

```spl
# CVE-2025-59287 hunt: detect oversized AuthorizationCookie POSTs to WSUS ASMX endpoints
index=web_logs (uri_path="/SimpleAuthWebService/SimpleAuthWebService.asmx"
 OR uri_path="/ReportingWebService/ReportingWebService.asmx"
 OR uri_path="/ClientWebService/ClientWebService.asmx")
| where like(Cookie, "%AuthorizationCookie=%")
| where len(Cookie) > 1000
| table _time, clientip, uri_path, Cookie
```

### Sigma rule snippet

```yaml
# CVE-2025-59287 Detection: WSUS spawning PowerShell (potential deserialization RCE)
title: WSUS Process Spawned Suspicious Shell
id: dfd1a2e2-2025-59287-detect
status: stable
description: Detects suspicious behavior where WSUS-related processes (w3wp.exe) spawn PowerShell shells, indicative of CVE-2025-59287 exploitation.
author: Aditya Bhatt
date: 2025/10/28
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    EventID: 1
    ParentImage|endswith: '\w3wp.exe'
    Image|endswith: '\powershell.exe'
  condition: selection
fields:
  - Image
  - ParentImage
  - CommandLine
  - User
  - Computer
falsepositives:
  - WSUS administration scripts legitimately using PowerShell (rare)
level: high
tags:
  - attack.execution
  - cve.2025-59287
  - wsus
```

### Elastic EQL Query

**EQL Version**

```eql
process where event.code == "1" and 
process.parent.name == "w3wp.exe" and 
process.name == "powershell.exe"
```

**KQL Version**

```kql
event.code:1 and process.parent.name:"w3wp.exe" and process.name:"powershell.exe"
```

---

## Scanner / tooling updates

Security vendors reacted fast:

* **Vulnerability scanners** (Tenable, Qualys, Rapid7) now include dedicated plugins to detect unpatched WSUS instances.
* **IDS/IPS** providers (Juniper, Fortinet, Palo Alto) released new signatures to flag exploit traffic targeting `/SimpleAuthWebService.asmx`.
* **EDR tools** like Defender for Endpoint and CrowdStrike recommend hunting for **PowerShell** spawned by **IIS worker processes** (`w3wp.exe`) as a strong signal of compromise.

---

## If you find exploitation — triage playbook

1. **Isolate** affected WSUS hosts immediately.
2. **Collect evidence:** memory dump, IIS + WSUS logs, process trees, and scheduled tasks.
3. **Assume SYSTEM-level compromise** and possible **update tampering**.
4. **Rebuild the WSUS server** from a clean base image, rotate service credentials, and verify all approved updates’ integrity.
5. Notify internal teams — treat this as a full security incident requiring cross-functional response.

---

## TL;DR for different audiences

* **Beginners:** If your update server is hacked, attackers can push malicious updates. Patch WSUS — now. ⚙️
* **Intermediate:** Watch for long Base64 cookies on ports 8530/8531, and monitor `w3wp.exe → powershell.exe` chains. 🕵️‍♀️
* **Experts:** Deserialization-based unauthenticated RCE with a public PoC, active exploitation confirmed. Prioritize patching, forensic analysis, and IDS/EDR tuning. 🚨

---

## Sources & Further Reading

* [Microsoft Security Response Center – Security Update Guide: CVE-2025-59287](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287)
* [HawkTrace Research Blog – CVE-2025-59287 WSUS Remote Code Execution](https://hawktrace.com/blog/CVE-2025-59287)
* [Huntress Blog – Exploitation of Windows Server Update Services Remote Code Execution Vulnerability (CVE-2025-59287)](https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability)
* [Tenable® Blog – Microsoft Patch Tuesday October 2025 Security Update Review (includes CVE-2025-59287)](https://blog.tenable.com/microsoft-patch-tuesday-october-2025-security-update-review)
* [Juniper Networks ThreatLabs – IPS Signature Detail HTTP:CTS:CVE-2025-59287-CE](https://www.juniper.net/us/en/threatlabs/ips-signatures/detail.HTTP%3ACTS%3ACVE-2025-59287-CE.html)
* [NVD – CVE-2025-59287 Detail](https://nvd.nist.gov/vuln/detail/CVE-2025-59287)
* [The Hacker News – Microsoft Issues Emergency Patch for Critical WSUS Flaw (CVE-2025-59287)](https://thehackernews.com/2025/10/microsoft-issues-emergency-patch-for.html)

---

### Goodbye Note

Patch fast, hunt deep, and remember — even your security tools can betray you if they’re not patched. 🔒🦉

---

文件快照

 [4.0K]  /data/pocs/23b71771bc41429c0d3d50879171150ba517d9f2
├── [ 109]  Elastic-CVE-2025-59287-WSUS-shell-EQL.eql
├── [  82]  Elastic-CVE-2025-59287-WSUS-shell-KQL.kql
├── [1.0K]  LICENSE
├── [9.4K]  README.md
├── [ 784]  Sigma-Rule-CVE-2025-59287-WSUS-shell.yml
└── [ 397]  Splunk_Hunt_Query.spl

0 directories, 6 files

备注