Critical WSUS Flaw (CVE-2025-59287, CVSS 9.8) Allows Unauthenticated RCE via Unsafe Cookie Deserialization, PoC Available
Ddos 
Security researcher Batuhan Er from HawkTrace has detailed a critical remote code execution (RCE) vulnerability in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287.
The flaw, rated CVSS 9.8, stems from an unsafe deserialization process in the WSUS AuthorizationCookie mechanism, allowing unauthenticated attackers to execute arbitrary code with SYSTEM privileges. Microsoft patched the vulnerability in its October 2025 Patch Tuesday update.
“This vulnerability arises from the unsafe deserialization of AuthorizationCookie objects sent to the GetCookie() endpoint,” explained Er. “Encrypted cookie data is decrypted using AES-128-CBC and subsequently deserialized through BinaryFormatter without proper type validation, enabling remote code execution with SYSTEM privileges.”
Windows Server Update Services (WSUS) is a Microsoft administration tool used by enterprises to centrally manage updates for Windows devices across networks. WSUS servers communicate with clients via SOAP-based APIs to distribute updates securely and efficiently.
However, this same communication channel becomes a critical attack surface when improperly handled input is deserialized — as seen in CVE-2025-59287.
“WSUS clients communicate with the WSUS server over the web to receive updates and stay secure,” the report notes, but this channel can be hijacked through malicious AuthorizationCookie payloads.
The vulnerability lies in the Microsoft.UpdateServices.Internal.Authorization.EncryptionHelper.DecryptData() method. When the WSUS server receives a request containing an AuthorizationCookie, the encrypted data is decrypted using AES-128-CBC and then passed directly to .NET’s BinaryFormatter.Deserialize() — a method long known for being inherently unsafe when processing untrusted data.
If the deserialized object’s type is not validated, attackers can craft malicious serialized payloads that trigger arbitrary code execution within the WSUS process, which runs with SYSTEM privileges.
“This final step is the critical vulnerability: arbitrary encrypted payloads can be deserialized, leading to remote code execution,” Er stated in the report.
HawkTrace’s analysis traces the vulnerable execution path through multiple internal WSUS functions, beginning with a malicious SOAP request to the GetCookie() endpoint.
Batuhan Er published a detailed proof-of-concept (PoC) exploit on GitHub demonstrating unauthenticated RCE via a crafted AuthorizationCookie payload sent over the WSUS API. The exploit chain allows a remote attacker to bypass authentication and execute commands as SYSTEM on vulnerable installations.
Donate