CVE-2025-59287: Deserialization of untrusted data in Windows Server Update Service allows an unauthorized...
9.8
Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability is a classic case of deserialization of untrusted data in a .NET application. The analysis is based on a proof-of-concept (PoC) found in a GitHub gist, as no source code or patches for Windows Server Update Service (WSUS) were available.
The PoC is a C# program that performs the following steps:
- It takes a known .NET deserialization gadget chain (from
ysoserial.net) that executescalc.exe. - This gadget chain is serialized using
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter. - The serialized payload is then encrypted using AES/CBC with a hardcoded key (
877C14E433638145AD21BD0C17393071) and a null initialization vector (IV).
From this, we can infer the server-side behavior with high confidence:
- The WSUS server exposes an endpoint that accepts encrypted data.
- The server uses the same hardcoded AES key to decrypt the incoming payload. The use of
AesCryptoServiceProviderin the PoC strongly suggests its use on the server as well, specifically theCreateDecryptormethod. - After decryption, the server uses
BinaryFormatter.Deserializeto reconstruct the .NET object from the decrypted byte stream.
The root cause of the vulnerability is the use of the insecure BinaryFormatter.Deserialize method on data controlled by an attacker. This method is known to be dangerous as it can be abused to execute arbitrary code when processing a malicious payload.
Therefore, the two key functions that would appear in a runtime profile during exploitation are AesCryptoServiceProvider.CreateDecryptor (for decrypting the payload) and BinaryFormatter.Deserialize (for the actual deserialization and code execution). Both are part of the standard .NET Base Class Library found in mscorlib.dll.
Vulnerable functions
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserializemscorlib.dll
System.Security.Cryptography.AesCryptoServiceProvider.CreateDecryptormscorlib.dll