Microsoft WSUS Deserialization of Untrusted Data (CVE-2025-59287)
Detects exploitation of CVE-2025-59287, a deserialization of untrusted data vulnerability in Microsoft Windows Server Update Services (WSUS). Successful exploitation allows an attacker to execute arbitrary code in the context of the WSUS service by sending a crafted serialized object. This vulnerability is listed in CISA KEV, indicating active exploitation in the wild.
Vulnerability Intelligence
KEV — Known ExploitedAffected Software
- Vendor
- Microsoft
- Product
- Windows
Weakness (CWE)
Timeline
- Disclosed
- October 24, 2025
CVSS
What is CVE-2025-59287 Microsoft WSUS Deserialization of Untrusted Data (CVE-2025-59287)?
Microsoft WSUS Deserialization of Untrusted Data (CVE-2025-59287) (CVE-2025-59287) maps to the Initial Access and Execution and Lateral Movement tactics — the adversary is trying to get into your network in MITRE ATT&CK.
This page provides production-ready detection logic for Microsoft WSUS Deserialization of Untrusted Data (CVE-2025-59287), covering the data sources and telemetry it touches: Microsoft Defender for Endpoint, Microsoft Sentinel, Windows Security Events, DeviceProcessEvents, DeviceNetworkEvents. The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.
MITRE ATT&CK
let wsus_processes = dynamic(["WsusPool", "UpdateServicesDbHandler", "wsusservice.exe", "W3wp.exe"]);
let suspicious_children = dynamic(["cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "rundll32.exe", "regsvr32.exe", "certutil.exe", "bitsadmin.exe", "net.exe", "net1.exe", "whoami.exe", "nltest.exe"]);
union
(
DeviceProcessEvents
| where TimeGenerated >= ago(7d)
| where InitiatingProcessFileName =~ "w3wp.exe"
| where InitiatingProcessCommandLine has_any ("WsusPool", "WSUSContent", "ApiRemoting30")
| where FileName in~ (suspicious_children)
| project TimeGenerated, DeviceName, AccountName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, FolderPath
| extend DetectionSource = "WSUS_W3WP_SuspiciousChild"
),
(
DeviceNetworkEvents
| where TimeGenerated >= ago(7d)
| where InitiatingProcessFileName =~ "wsusservice.exe" or InitiatingProcessFileName =~ "w3wp.exe"
| where RemotePort !in (80, 443, 8530, 8531)
| where RemoteIPType == "Public"
| project TimeGenerated, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl
| extend DetectionSource = "WSUS_UnexpectedOutboundNetwork"
),
(
SecurityEvent
| where TimeGenerated >= ago(7d)
| where EventID in (4688, 4648)
| where ParentProcessName has_any (wsus_processes)
| where NewProcessName has_any (suspicious_children)
| project TimeGenerated, Computer, SubjectUserName, ParentProcessName, NewProcessName, CommandLine
| extend DetectionSource = "WSUS_SuspiciousChildProcess"
)
| sort by TimeGenerated descDetects suspicious child processes spawned from WSUS IIS application pool (w3wp.exe with WsusPool identity) or wsusservice.exe, indicative of successful deserialization exploitation. Also monitors for unexpected outbound network connections from WSUS processes.
Data Sources
Required Tables
False Positives
- Legitimate WSUS administrative scripts or maintenance tasks spawning cmd.exe or powershell.exe
- Patch management tooling that invokes command-line utilities under the WSUS application pool identity
- Security scanning tools that enumerate WSUS configuration via command-line utilities
- Authorized penetration testing activities targeting WSUS infrastructure
Sigma rule & cross-platform mapping
The detection logic for Microsoft WSUS Deserialization of Untrusted Data (CVE-2025-59287) (CVE-2025-59287) above is provided in a vendor-neutral
form so you can deploy it on any SIEM. The same logic is shipped here as native
KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the
following logsource:
logsource:
category: process_creation
product: windowsBrowse the community-maintained Sigma rules for this technique:
Platform-specific guides for CVE-2025-59287
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate WSUS Deserialization Child Process Execution
Expected signal: Sysmon Event ID 1 or Windows Security Event ID 4688 showing whoami.exe process creation; EDR process tree view should show PowerShell as parent.
- Test 2WSUS Endpoint Reconnaissance via Malformed HTTP Request
Expected signal: IIS log entry for POST /ApiRemoting30/WebService.asmx with unusually large request body (cs-bytes); network capture shows malformed SOAP payload; Windows Firewall logs if enabled.
- Test 3Post-Exploitation WSUS Lateral Movement Simulation
Expected signal: Sysmon Event ID 1 entries for nltest.exe, net.exe, whoami.exe with associated command-line arguments; Windows Security Event ID 4688 if command-line auditing is enabled; EDR behavioral alert for domain trust enumeration.
- Test 4Certutil Download Cradle from WSUS Context
Expected signal: Sysmon Event ID 1 for certutil.exe with -urlcache and -f arguments; Sysmon Event ID 11 for file creation at C:\Windows\Temp\wsus_test_artifact.txt; Windows Defender SmartScreen or AMSI telemetry if enabled; EDR network event for loopback HTTP connection from certutil.exe.
Unlock Pro Content
Get the full detection package for CVE-2025-59287 including response playbook, investigation guide, and atomic red team tests.