"The vulnerability in question is CVE-2025-59287 (CVSS score: 9.8), a remote code execution flaw in WSUS that was originally fixed by the tech giant as part of its Patch Tuesday update published last week. Three security researchers, MEOW, f7d8c52bec79e42795cf15888b85cbad, and Markus Wulftange with CODE WHITE GmbH, have been acknowledged for discovering and reporting the bug. The shortcoming concerns a case of deserialization of untrusted data in WSUS that allows an unauthorized attacker to execute code over a network."
"According to HawkTrace security researcher Batuhan Er, the issue "arises from the unsafe deserialization of AuthorizationCookie objects sent to the GetCookie() endpoint, where encrypted cookie data is decrypted using AES-128-CBC and subsequently deserialized through BinaryFormatter without proper type validation, enabling remote code execution with SYSTEM privileges." It's worth noting that Microsoft itself previously recommended developers to stop using BinaryFormatter for deserialization, owing to the fact that the method is not safe when used with untrusted input."
An RCE vulnerability, CVE-2025-59287 (CVSS 9.8), affects Windows Server Update Service (WSUS) and has an available proof-of-concept exploit and active in-the-wild exploitation. The flaw stems from unsafe deserialization of untrusted data allowing remote, unauthenticated attackers to trigger object deserialization via a legacy serialization mechanism, resulting in SYSTEM-level code execution. The vulnerability specifically involves AuthorizationCookie objects decrypted with AES-128-CBC and deserialized via BinaryFormatter without type validation. Windows Server installations without the WSUS server role are not affected. Microsoft released out-of-band security updates for supported Windows Server versions, including Windows Server 2012 and Windows Server 2012 R2.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]