Free, Unbiased, and Open threat intelligence
Free, Unbiased, and Open threat intelligence
threat Profile
Microsoft released emergency out-of-band security updates to patch CVE-2025-59287, a critical remote code execution vulnerability in Windows Server Update Service (WSUS). The flaw involves unsafe deserialization of untrusted data in a legacy serialization mechanism using BinaryFormatter. An unauthenticated remote attacker can exploit this vulnerability by sending crafted events to the GetCookie() endpoint, where encrypted AuthorizationCookie objects are decrypted using AES-128-CBC and deserialized without proper type validation, leading to remote code execution with SYSTEM privileges. The vulnerability has a CVSS score of 9.8 and is actively exploited in the wild. Eye Security observed exploitation on October 24, 2025, where attackers dropped a Base64-encoded .NET executable payload that executes arbitrary commands via cmd.exe using the 'aaaa' request header. The vulnerability affects Windows Server 2012, 2012 R2, 2016, 2019, 2022, and 2025 with WSUS server role enabled. Microsoft recommends immediate patching, or as a workaround, disabling the WSUS server role or blocking inbound traffic to ports 8530 and 8531.
CVEs
Published
7 months ago
Views
11