-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability is a classic case of deserialization of untrusted data in a .NET application. The analysis is based on a proof-of-concept (PoC) found in a GitHub gist, as no source code or patches for Windows Server Update Service (WSUS) were available.
The PoC is a C# program that performs the following steps:
ysoserial.net) that executes calc.exe.System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.877C14E433638145AD21BD0C17393071) and a null initialization vector (IV).From this, we can infer the server-side behavior with high confidence:
AesCryptoServiceProvider in the PoC strongly suggests its use on the server as well, specifically the CreateDecryptor method.BinaryFormatter.Deserialize to reconstruct the .NET object from the decrypted byte stream.The root cause of the vulnerability is the use of the insecure BinaryFormatter.Deserialize method on data controlled by an attacker. This method is known to be dangerous as it can be abused to execute arbitrary code when processing a malicious payload.
Therefore, the two key functions that would appear in a runtime profile during exploitation are AesCryptoServiceProvider.CreateDecryptor (for decrypting the payload) and BinaryFormatter.Deserialize (for the actual deserialization and code execution). Both are part of the standard .NET Base Class Library found in mscorlib.dll.
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserializemscorlib.dll
System.Security.Cryptography.AesCryptoServiceProvider.CreateDecryptormscorlib.dll
Ongoing coverage of React2Shell