Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Threat actors are abusing a newly disclosed remote code execution flaw in Microsoft Windows Server Update Services. The vulnerability (CVE-2025-59287) allows unauthenticated attackers to send crafted requests to WSUS endpoints on ports 8530 and 8531 and achieve code execution. Exploited hosts run PowerShell payloads that enumerate system information and exfiltrate data to external webhooks. The activity was observed across multiple customer environments by Huntress.
Vulnerability Details
Huntress detected malicious POST requests to WSUS web services that triggered deserialization in the AuthorizationCookie. Process chains showed wsusservice.exe or w3wp.exe spawning cmd.exe and powershell.exe to run a Base64‑encoded PowerShell command. The payload gathered user and network data and sent it to a remote webhook via Invoke‑WebRequest or curl. Proxy networks were used to hide the attackers’ origin.
The bug has been observed exploited in the wild and a public PoC exists; Microsoft issued an out-of-band fix on October 23, 2025, and interim mitigations include disabling the WSUS Server role or blocking inbound access to WSUS management ports until patched.
Mitigation
Microsoft released an out‑of‑band patch for CVE-2025-59287; organizations should apply the update immediately. Limit exposure by restricting inbound traffic to WSUS ports 8530/TCP and 8531/TCP to trusted management hosts only. Isolate WSUS servers from the internet and monitor for unauthorized POST requests to WSUS web service endpoints.
Attack Flow
Detection Rules
Detect Inbound Traffic to WSUS Ports 8530 and 8531 [Firewall]
View
Suspicious WSUS Service Server Behaviour (via cmdline)
View
Suspicious Microsoft IIS Server Behaviour (via cmdline)
View
Download or Upload via Powershell (via cmdline)
View
Possible System Network Configuration Discovery (via cmdline)
View
CVE-2025-59287 Simulation
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
Attack Narrative & Commands:
Step 1 – Prepare a decoy WSUS binary:
Copy a legitimate system binary (e.g., C:\Windows\System32\wsusservice.exe does not normally exist, so we clone cmd.exe and rename it to mimic the vulnerable service.
Step 2 – Exploit CVE‑2025‑59287:
The vulnerability allows an attacker to supply a command line to the WSUS service which is executed with SYSTEM privileges.
The attacker crafts a payload that causes the fake wsusservice.exe to launch cmd.exe and a child PowerShell process.
Step 3 – Generate the expected process chain:
wsusservice.exe (parent) → cmd.exe (child) → cmd.exe (grand‑child) and powershell.exe (grand‑child).
This exact chain satisfies the Sigma rule’s selection_wsusservice condition.
Regression Test Script: