Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-59287 PoC — Windows Server Update Service (WSUS) Remote Code Execution Vulnerability

Source
https://github.com/th1n0/CVE-2025-59287
Associated Vulnerability
Title:Windows Server Update Service (WSUS) Remote Code Execution Vulnerability (CVE-2025-59287)
Description:Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.
Description
WSUS vulnerability PoC
Readme
# CVE-2025-59287 
> **⚠ This tool is created solely for educational use only. Unauthorized use outside of controlled environments is strictly prohibited.**

CVE-2025-59287 is a critical remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS). It stems from unsafe deserialization of data inside WSUS components, allowing a remote, unauthenticated attacker to cause the service to deserialize a crafted .NET object and execute arbitrary code under the SYSTEM account. The vulnerability is commonly exploited by sending specially crafted SOAP requests to WSUS web endpoints. This repository was created to demonstrate a proof-of-concept for this vulnerability.

# Requirements
- Windows OS/Linux
- Python 3.4+

# How To Use
This PoC expects a payload serialized with .NET BinaryFormatter and encoded in Base64. If no payload is supplied, a benign calculator payload will be used instead. There are several ways to use a custom payload.
## 1. Edit the payload.txt file
Simply insert your payload into payload.txt.
```payload.txt
YOUR_PAYLOAD
```
The code will use payload from this file.

**Second option**:
You can add your payload manually. Open exp.py and locate the following block. Replace 'your_payload' with your Base64-encoded .NET BinaryFormatter payload.
```python
...
   if not args.no_wait:
        time.sleep(0.02)
    injected = payload_text or 'your_payload'
    success, event_id, target_sid = send_malicious_event(target, cookie, injected)
...
```

## 2. Run the code:
```bash
python exp.py http://example.local:8533
```
*(replace http://example.local:8530 with the target WSUS server URL)*

# How it works?
`encrypt.py` prepares a blob that looks like the encrypted/packed data WSUS expects; `exp.py` builds and sends SOAP requests that place that blob into WSUS fields which the vulnerable service will decrypt and deserialize — if the server is vulnerable the deserialized object can trigger code execution.

# Disclaimer
This tool is created solely for educational use only. Unauthorized use outside of controlled environments is strictly prohibited.
File Snapshot

 [4.0K]  /data/pocs/86a5a46796e030fa50866cd0db1bf62929de0040
├── [6.3K]  encypt.py
├── [6.1K]  exp.py
├── [  12]  payload.txt
├── [4.0K]  __pycache__
│   └── [ 15K]  encypt.cpython-314.pyc
└── [2.1K]  README.md

2 directories, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →