Exploitation Activity of CVE-2025-59287 - WSUS Deserialization

 1title: Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
 2id: e5f66e87-7d6b-404f-92fe-7aa67814b5cd
 3status: experimental
 4description: |
 5        Detects cast exceptions in Windows Server Update Services (WSUS) application logs that highly indicate exploitation attempts of CVE-2025-59287, a deserialization vulnerability in WSUS.
 6references:
 7    - https://unit42.paloaltonetworks.com/cve-2025-59287/
 8    - https://hawktrace.com/blog/CVE-2025-59287-UNAUTH
 9    - https://github.com/0xBruno/WSUSploit.NET/tree/e239bce9d6b5f46a346e1e4c4d5e0a2a20d5c639
10    - https://www.huntress.com/blog/exploitation-of-windows-server-update-services-remote-code-execution-vulnerability
11author: Swachchhanda Shrawan Poudel (Nextron Systems)
12date: 2025-10-31
13tags:
14    - attack.execution
15    - attack.initial-access
16    - attack.t1190
17    - attack.t1203
18    - cve.2025-59287
19    - detection.emerging-threats
20logsource:
21    product: windows
22    service: application
23detection:
24    selection:
25        Provider_Name: 'Windows Server Update Services'
26        EventID: 7053
27        Data|contains|all:
28           # Indicators of untrusted deserialization exploitation attempts
29           # https://github.com/pwntester/ysoserial.net/issues/114
30            - 'System.InvalidCastException'
31            - 'System.Windows.Data.ObjectDataProvider'
32            - 'Unable to cast object of type'
33            - 'System.Windows.Media.Brush'
34    condition: selection
35falsepositives:
36    - Legitimate WSUS operations that may trigger similar error messages
37level: high

References

• https://unit42.paloaltonetworks.com/cve-2025-59287/

  
  Read More

• CVE-2025-59287 WSUS Unauthenticated RCE

  

  A technical WSUS advisory for CVE-2025-59287: unsafe deserialization in Windows Server Update Services that allows remote code execution.

  
  Read More

• GitHub - 0xBruno/WSUSploit.NET at e239bce9d6b5f46a346e1e4c4d5e0a2a20d5c639

  

  PoC for CVE-2025-59287. Contribute to 0xBruno/WSUSploit.NET development by creating an account on GitHub.

  
  Read More

• Exploitation of Windows Server Update Services Remote Code Execution Vulnerability (CVE-2025-59287) | Huntress

  

  Huntress has observed threat actors exploiting a Microsoft Windows Server Update Services (WSUS) vulnerability (CVE-2025-59287).

  
  Read More

Related rules

• Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process
• Potential Exploitation of CVE-2025-4427/4428 Ivanti EPMM Pre-Auth RCE
• CVE-2021-31979 CVE-2021-33771 Exploits
• CVE-2021-31979 CVE-2021-33771 Exploits by Sourgum
• CVE-2024-50623 Exploitation Attempt - Cleo