Detect Microsoft WSUS Deserialization of Untrusted Data (CVE-2025-59287) in Splunk
Detects exploitation of CVE-2025-59287, a deserialization of untrusted data vulnerability in Microsoft Windows Server Update Services (WSUS). Successful exploitation allows an attacker to execute arbitrary code in the context of the WSUS service by sending a crafted serialized object. This vulnerability is listed in CISA KEV, indicating active exploitation in the wild.
MITRE ATT&CK
SPL Detection Query
index=windows sourcetype IN ("WinEventLog:Security", "XmlWinEventLog:Microsoft-Windows-Sysmon/Operational")
| eval parent_lower=lower(ParentImage), proc_lower=lower(Image), cmdline=coalesce(CommandLine, ProcessCommandLine)
| where (match(parent_lower, "w3wp\.exe") AND match(cmdline, "(?i)(WsusPool|WSUSContent|ApiRemoting30)"))
OR match(parent_lower, "wsusservice\.exe")
| where match(proc_lower, "(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|rundll32\.exe|regsvr32\.exe|certutil\.exe|bitsadmin\.exe|whoami\.exe|nltest\.exe|net\.exe|net1\.exe)")
| eval risk_score=case(
match(proc_lower, "(?i)(mshta|wscript|cscript)"), 95,
match(proc_lower, "(?i)(certutil|bitsadmin)"), 90,
match(proc_lower, "(?i)powershell"), 80,
true(), 70
)
| table _time, host, User, ParentImage, Image, cmdline, risk_score
| sort -risk_score, -_timeIdentifies suspicious processes spawned under the WSUS IIS worker process or WSUS service, which may indicate successful exploitation of the deserialization vulnerability.
Data Sources
Required Sourcetypes
False Positives & Tuning
- WSUS administrators running diagnostic scripts that invoke cmd.exe or powershell.exe
- Third-party patch management software executing under WSUS service context
- Automated maintenance tasks or health-check scripts associated with WSUS
- Security tools scanning WSUS configuration via command-line utilities
Other platforms for CVE-2025-59287
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate WSUS Deserialization Child Process Execution
Expected signal: Sysmon Event ID 1 or Windows Security Event ID 4688 showing whoami.exe process creation; EDR process tree view should show PowerShell as parent.
- Test 2WSUS Endpoint Reconnaissance via Malformed HTTP Request
Expected signal: IIS log entry for POST /ApiRemoting30/WebService.asmx with unusually large request body (cs-bytes); network capture shows malformed SOAP payload; Windows Firewall logs if enabled.
- Test 3Post-Exploitation WSUS Lateral Movement Simulation
Expected signal: Sysmon Event ID 1 entries for nltest.exe, net.exe, whoami.exe with associated command-line arguments; Windows Security Event ID 4688 if command-line auditing is enabled; EDR behavioral alert for domain trust enumeration.
- Test 4Certutil Download Cradle from WSUS Context
Expected signal: Sysmon Event ID 1 for certutil.exe with -urlcache and -f arguments; Sysmon Event ID 11 for file creation at C:\Windows\Temp\wsus_test_artifact.txt; Windows Defender SmartScreen or AMSI telemetry if enabled; EDR network event for loopback HTTP connection from certutil.exe.
Unlock Pro Content
Get the full detection package for CVE-2025-59287 including response playbook, investigation guide, and atomic red team tests.