Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2025-59287 PoC — Windows Server Update Service (WSUS) Remote Code Execution Vulnerability

Source
https://github.com/Lupovis/Honeypot-for-CVE-2025-59287-WSUS
Associated Vulnerability
Title:Windows Server Update Service (WSUS) Remote Code Execution Vulnerability (CVE-2025-59287)
Description:Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.
Description
Defensive PoC decoy for CVE-2025-59287 (WSUS) - emulates WSUS endpoints, captures request bodies and metadata, saves evidence for forensic analysis, and provides validation harness and detection rules.
Readme
# wsus-decoy

Defensive proof of concept decoy for CVE-2025-59287 (WSUS). The decoy emulates WSUS web endpoints on ports 8530 and 8531, captures full HTTP request bodies and headers, stores evidence for forensic analysis, and includes a Windows test harness to validate endpoint, file and process telemetry. It also includes example detection rules (KQL and Suricata) and a Sentinel playbook template.

> IMPORTANT: This project is strictly defensive. It contains no exploit code. Run only in isolated lab or segmented test environment. Do not expose the decoy to production networks unless you understand the risks and have monitoring in place.

## Repo contents
- nginx config to proxy WSUS-like endpoints to a capture service
- Flask-based capture service that writes request bodies and metadata to disk
- Windows PowerShell harness to create the log file and spawn cmd.exe -> powershell -EncodedCommand for detection validation
- Suricata rules to detect suspicious WSUS POSTs
- KQL queries for high-confidence and early-warning detection in Microsoft Sentinel [(From @0x534c Steven Lim on X)](https://x.com/0x534c/status/1982034763805581524)
- Deployment and testing guides

## Quickstart (local lab)
1. Clone this repo.
2. In `capture/` create a Python venv, then `pip install -r requirements.txt`.
3. Update `nginx/nginx.conf` if needed and run nginx on the decoy host listening on 8530.
4. Start the Flask capture service (systemd unit provided).
5. On a Windows test VM with EDR enabled, run `windows-harness/wsus_test_harness.ps1`.
6. Generate a POST to `http://<decoy-ip>:8530/ReportWebService/ReportWebService.asmx` to test capture.
7. Ingest evidence artifacts into your SIEM or Log Analytics workspace and run the provided KQL queries to validate.

See `docs/deployment.md` and `docs/testing.md` for full instructions.

## For Enterprise

- Visit lupovis.io 

## License and attribution

This project is licensed under the MIT License. See the `LICENSE` file for full license text.

**Copyright (c) 2025 Lupovis**

Attribution: Created by `Lupovis`  
Repository: https://github.com/Lupovis/Honeypot-for-CVE-2025-59287-WSUS/

## Safety note
Always run this in an isolated lab or segmented test network. Do not use real exploit payloads. The intent is to capture and analyze attacker activity in a safe way.
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →