This vulnerability is the Insecure Deserialization vulnerability in Microsoft's Windows Server Update Services (WSUS), which allows an attacker to execute malicious commands by sending a SOAP request containing a serialized and encrypted malicious payload to /ClientWebService/Client.asmx.

A security patch for this vulnerability was released in October 2025, and AIWAF products are scheduled to address this vulnerability through the "2319 / Windows Server Update Service Insecure Deserialization" pattern, which will be added in the March 2026 pattern update.

1. Overview

Microsoft Windows Server Update Services (WSUS) is a service used primarily in enterprise environments to manage, execute, and monitor Microsoft product and Windows update operations within a WSUS network.

This report summarizes the analysis of the CVE-2025-59287 vulnerability that occurs in this service.



Source: https://cybersecuritynews.com/wsus-rce-vulnerability-exploited/

2. Attack Type

CVE-2025-59287 is an insecure deserialization vulnerability in WSUS, confirmed to allow execution of a serialized malicious payload by sending it to the server.

When an attacker sends a SOAP request containing a serialized and encrypted malicious payload to the vulnerable endpoint /ClientWebService/Client.asmx, WSUS first decrypts and deserializes the data before performing sufficient type validation, resulting in deserialization with SYSTEM privileges and ultimately enabling an RCE attack.

The attacker injects the serialized malicious code into the tag within the SOAP request, and in this case the SOAPAction header in the request must contain the path value .../GetCookie.

Example attack request :

POST /ClientWebService/Client.asmx HTTP/1.1
Host: www.test.com
SOAPAction: "http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetCookie"
Content-Type: text/xml
Content-Length: 413

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
  <soap:Body>
    <GetCookie xmlns="http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService">
      <authCookies>
        <AuthorizationCookie>
          <PlugInId>SimpleTargeting</PlugInId>
          <CookieData><Malware code></CookieData>
        </AuthorizationCookie>
      </authCookies>
      <oldCookie xmlns:i="http://www.w3.org/2001/XMLSchema-instance" i:nil="true"/>
      <protocolVersion>1.20</protocolVersion>
    </GetCookie>
  </soap:Body>
</soap:Envelope>

3. Mitigation

Microsoft released an emergency security patch on October 23, 2025, to address this vulnerability, which was also included in the October regular security update. Customers using this service can mitigate the vulnerability by applying this security patch.

Our AIWAF will respond to this vulnerability with the “2319 / Windows Server Update Service Insecure Deserialization” pattern to be added in the March 2026 pattern update.



Source: https://support.microsoft.com/en-us/topic/october-23-2025-kb5070883-os-build-17763-7922-out-of-band-860bc03c-52fb-407c-89b2-14ecf4893c5c

4. Conclusion

Windows Server Update Services (WSUS) is a service that manages, executes, and monitors OS updates for Windows‑based endpoints and services within an enterprise environment. Regarding the CVE‑2025‑59287 vulnerability in this service, PoC and exploit information are being actively shared, and the attack method is relatively simple, indicating a high risk of exploitation. Therefore, customers using this service should apply the relevant security patches as quickly as possible.

Our TA team is monitoring vulnerabilities occurring in Windows‑based services and will continue to respond promptly to any newly discovered vulnerabilities in the future.

5. References

• https://nvd.nist.gov/vuln/detail/CVE-2025-59287
• https://hawktrace.com/blog/cve-2025-59287-unauth/