Miggo Logo
Miggo Vulnerability Database
CVE-2025-59287

CVE-2025-59287: Deserialization of untrusted data in Windows Server Update Service allows an unauthorized...

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-59287
GHSA ID
GHSA-943j-4893-6rfq
EPSS Score
0.92243%
CWE
CWE-502
Published
10/14/2025
Updated
10/25/2025
KEV Status
Yes
Technology
-

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a classic case of deserialization of untrusted data in a .NET application. The analysis is based on a proof-of-concept (PoC) found in a GitHub gist, as no source code or patches for Windows Server Update Service (WSUS) were available.

The PoC is a C# program that performs the following steps:

  1. It takes a known .NET deserialization gadget chain (from ysoserial.net) that executes calc.exe.
  2. This gadget chain is serialized using System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.
  3. The serialized payload is then encrypted using AES/CBC with a hardcoded key (877C14E433638145AD21BD0C17393071) and a null initialization vector (IV).

From this, we can infer the server-side behavior with high confidence:

  1. The WSUS server exposes an endpoint that accepts encrypted data.
  2. The server uses the same hardcoded AES key to decrypt the incoming payload. The use of AesCryptoServiceProvider in the PoC strongly suggests its use on the server as well, specifically the CreateDecryptor method.
  3. After decryption, the server uses BinaryFormatter.Deserialize to reconstruct the .NET object from the decrypted byte stream.

The root cause of the vulnerability is the use of the insecure BinaryFormatter.Deserialize method on data controlled by an attacker. This method is known to be dangerous as it can be abused to execute arbitrary code when processing a malicious payload.

Therefore, the two key functions that would appear in a runtime profile during exploitation are AesCryptoServiceProvider.CreateDecryptor (for decrypting the payload) and BinaryFormatter.Deserialize (for the actual deserialization and code execution). Both are part of the standard .NET Base Class Library found in mscorlib.dll.

Vulnerable functions

System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize
mscorlib.dll
This function is responsible for deserializing a byte stream into a .NET object. The vulnerability lies in the fact that the WSUS server uses this function to deserialize untrusted data received from the network. An attacker can craft a malicious serialized object (a 'gadget chain') that, when deserialized by this function, will execute arbitrary code on the server. The provided PoC demonstrates the creation of such a malicious payload.
System.Security.Cryptography.AesCryptoServiceProvider.CreateDecryptor
mscorlib.dll
This function is used to create a decryptor object to perform AES decryption. While not the root cause of the vulnerability, this function is a critical part of the exploit chain. It is responsible for decrypting the attacker's payload, which is then passed to the vulnerable `BinaryFormatter.Deserialize` function. A runtime profile of the exploit would show this function being called immediately before the deserialization.

WAF Protection Rules

WAF Rule

**s*ri*liz*tion o* untrust** **t* in Win*ows S*rv*r Up**t* S*rvi** *llows *n un*ut*oriz** *tt**k*r to *x**ut* *o** ov*r * n*twork.

Reasoning

T** vuln*r**ility is * *l*ssi* **s* o* **s*ri*liz*tion o* untrust** **t* in * .N*T *ppli**tion. T** *n*lysis is **s** on * proo*-o*-*on**pt (Po*) *oun* in * *it*u* *ist, *s no sour** *o** or p*t***s *or Win*ows S*rv*r Up**t* S*rvi** (WSUS) w*r* *v*il