top of page
Search

Hunting for CVE-2025-59287: Detecting Vulnerable WSUS Servers

  • Writer: Damien van der Linden
    Damien van der Linden
  • Oct 27
  • 4 min read

Summary


Microsoft has released an urgent out-of-band security update to address CVE-2025-59287 (after a previous update in Patch Tuesday that didn't quite hit the nail on the head), a critical remote code execution vulnerability in Windows Server Update Services (WSUS) that is being actively exploited in the wild. This vulnerability allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges by exploiting unsafe deserialization in WSUS's cookie handling. In this post, we'll dissect a KQL query designed to identify WSUS servers in your environment and check if they're internet-facing, which is crucial for prioritizing remediation efforts.


Understanding CVE-2025-59287


The Vulnerability


CVE-2025-59287 is a critical deserialization vulnerability in WSUS with a CVSS score of 9.8. The vulnerability stems from improper handling of the AuthorizationCookie, allowing remote attackers to:


  • Execute arbitrary code without authentication

  • Gain SYSTEM-level privileges on the affected server

  • Potentially compromise the entire Windows update infrastructure

  • Distribute malicious updates to client devices


Timeline of Events

  • October 14, 2025: Initial patch released during Patch Tuesday

  • October 23, 2025: Microsoft releases out-of-band update after realizing the initial patch was incomplete

  • October 23-24, 2025: Active exploitation observed in the wild

  • October 24, 2025: CISA adds CVE-2025-59287 to Known Exploited Vulnerabilities catalog

Exploitation in the Wild

Security researchers have observed threat actors:

  • Scanning for exposed WSUS ports (8530/TCP and 8531/TCP)

  • Sending specially crafted POST requests to trigger the deserialization vulnerability

  • Executing PowerShell payloads that enumerate systems and exfiltrate data

  • Using base64-encoded .NET gadget chains for more sophisticated attacks


KQL Query Analysis: Identifying Vulnerable WSUS Servers

Let's break down the KQL query designed to hunt for WSUS servers and assess their exposure:

kql

DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has "wsusservice" or FileName =~ "WsusService.exe"
| summarize
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp),
    ProcessCount = count()
    by DeviceName, FileName
| join kind=inner (
    DeviceNetworkEvents
    | where LocalPort in (8530, 8531)
    | summarize WSUSPorts = make_set(LocalPort) by DeviceName
) on DeviceName
| join kind=inner (
    DeviceInfo
    | where Timestamp > ago(7d)
    | summarize arg_max(Timestamp, *) by DeviceName
    | project DeviceName, IsInternetFacing, OSPlatform, OSVersion
) on DeviceName
| project DeviceName, FileName, FirstSeen, LastSeen, ProcessCount, WSUSPorts, IsInternetFacing, OSPlatform, OSVersion

Query Component Breakdown


1. Process Detection (Lines 1-7)

DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has "wsusservice" or FileName =~ "WsusService.exe"

This section searches for WSUS service processes over the last 30 days. It looks for:

  • Command lines containing "wsusservice"

  • Process names matching "WsusService.exe" (case-insensitive)


This process is known to only run on a server that has the WSUS role enabled.


The summarization provides:

  • FirstSeen: When WSUS was first observed running

  • LastSeen: Most recent WSUS activity

  • ProcessCount: Number of times the process was seen

| summarize
    FirstSeen = min(Timestamp),
    LastSeen = max(Timestamp),
    ProcessCount = count()
    by DeviceName, FileName

2. Network Port Detection (Lines 8-12)


| join kind=inner (
    DeviceNetworkEvents
    | where LocalPort in (8530, 8531)
    | summarize WSUSPorts = make_set(LocalPort) by DeviceName
) on DeviceName

This join identifies devices listening on WSUS default ports:

  • Port 8530: HTTP WSUS traffic

  • Port 8531: HTTPS WSUS traffic

The make_set() function creates an array of unique ports, showing which WSUS ports are active.

3. Device Information Enrichment (Lines 13-18)


| join kind=inner (
    DeviceInfo
    | where Timestamp > ago(7d)
    | summarize arg_max(Timestamp, *) by DeviceName
    | project DeviceName, IsInternetFacing, OSPlatform, OSVersion
) on DeviceName

This final join adds critical context:

  • IsInternetFacing: Identifies if the server is exposed to the internet (critical for prioritization!)

  • OSPlatform & OSVersion: Helps determine patch applicability

The arg_max() function ensures we get the most recent device information.

Query Output Interpretation

The query provides an overview of WSUS servers with these key fields:

Field

Purpose

Risk Indicator

DeviceName

Server identification

-

FileName

Confirms WSUS process

Presence confirms WSUS role

FirstSeen/LastSeen

Activity timeline

Recent activity = active server

ProcessCount

Service stability

Low count may indicate recent installation

WSUSPorts

Active WSUS ports

Both ports = full WSUS functionality

IsInternetFacing

Internet exposure

TRUE = CRITICAL RISK

OSVersion

Patch applicability

Multiple Windows Server versions


Mitigation Recommendations


Immediate Actions


  1. Apply the October 23, 2025 Out-of-Band Update

    • This is a cumulative update that supersedes the incomplete October 14 patch

    • Requires system reboot after installation


Indicators of Compromise (IoCs)

Watch for these signs of exploitation:

  • Child processes spawned from wsusservice.exe or w3wp.exe

  • PowerShell execution with base64-encoded payloads

  • Commands executing net user /domain and ipconfig /all (whoami;net user /domain and net user /domain; ipconfig /all)

  • Outbound connections to webhook.site or similar data exfiltration endpoints

  • Errors in SoftwareDistribution.log related to deserialization

Hunting for Exploitation

To hunt for exploitation, we could look at WsusService.exe spawning processes like cmd.exe, this shouldn't ever happen, making detection quite easy. Below an example to hunt for active exploitation of this CVE. 

DeviceProcessEvents
| where Timestamp > ago(30d)
| where 
    // Any child process from wsusservice.exe (should never happen)
    InitiatingProcessFileName =~ "wsusservice.exe"
    or
    // cmd.exe spawned from IIS WsusPool
    (InitiatingProcessFileName =~ "w3wp.exe" 
     and InitiatingProcessCommandLine has_any ("wsuspool", "WsusPool")
     and FileName =~ "cmd.exe")

Conclusion


CVE-2025-59287 represents a critical risk to organizations using WSUS, especially given the active exploitation and the service's privileged nature. The KQL query provided offers a comprehensive approach to identifying vulnerable servers and prioritizing remediation based on exposure risk.


Remember that WSUS typically runs with SYSTEM privileges and has trusted relationships with all managed clients, making it an extremely valuable target for attackers. The combination of unauthenticated remote code execution and active exploitation makes this a "patch now or cry later" scenario.


Organizations should treat this vulnerability with the urgency it deserves, applying the out-of-band update immediately or implementing the recommended mitigations until patching is possible. The operational disruption of emergency patching is far preferable to the potential compromise of your entire Windows update infrastructure.


References


Keywords: CVE-2025-59287, WSUS, KQL, Threat Hunting, Microsoft Defender, Remote Code Execution, Deserialization Vulnerability, Windows Server Update Services

2025-2026 LindenSec | ©
bottom of page