Detect Microsoft WSUS Deserialization of Untrusted Data (CVE-2025-59287) in Sumo Logic CSE
Detects exploitation of CVE-2025-59287, a deserialization of untrusted data vulnerability in Microsoft Windows Server Update Services (WSUS). Successful exploitation allows an attacker to execute arbitrary code in the context of the WSUS service by sending a crafted serialized object. This vulnerability is listed in CISA KEV, indicating active exploitation in the wild.
MITRE ATT&CK
Sumo Detection Query
_sourceCategory=Windows/Security OR _sourceCategory=Windows/Sysmon
| where (%"ParentImage" matches "*w3wp.exe*" and (%"CommandLine" matches "*WsusPool*" or %"CommandLine" matches "*WSUSContent*" or %"CommandLine" matches "*ApiRemoting30*"))
or %"ParentImage" matches "*wsusservice.exe*"
| where %"Image" matches "*cmd.exe*" or %"Image" matches "*powershell.exe*"
or %"Image" matches "*wscript.exe*" or %"Image" matches "*cscript.exe*"
or %"Image" matches "*mshta.exe*" or %"Image" matches "*certutil.exe*"
or %"Image" matches "*bitsadmin.exe*" or %"Image" matches "*whoami.exe*"
or %"Image" matches "*rundll32.exe*" or %"Image" matches "*regsvr32.exe*"
| count by _sourceHost, %"ParentImage", %"Image", %"CommandLine", %"User"
| sort by _count descSumo Logic query detecting suspicious process spawning from WSUS processes, a key indicator of deserialization exploit activity targeting CVE-2025-59287.
Data Sources
Required Tables
False Positives & Tuning
- WSUS administrative scripts that invoke command-line interpreters
- Automated patch orchestration tools running under WSUS service identity
- Security tools performing WSUS health checks via command-line utilities
- IT automation frameworks that legitimately spawn child processes from WSUS
Other platforms for CVE-2025-59287
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulate WSUS Deserialization Child Process Execution
Expected signal: Sysmon Event ID 1 or Windows Security Event ID 4688 showing whoami.exe process creation; EDR process tree view should show PowerShell as parent.
- Test 2WSUS Endpoint Reconnaissance via Malformed HTTP Request
Expected signal: IIS log entry for POST /ApiRemoting30/WebService.asmx with unusually large request body (cs-bytes); network capture shows malformed SOAP payload; Windows Firewall logs if enabled.
- Test 3Post-Exploitation WSUS Lateral Movement Simulation
Expected signal: Sysmon Event ID 1 entries for nltest.exe, net.exe, whoami.exe with associated command-line arguments; Windows Security Event ID 4688 if command-line auditing is enabled; EDR behavioral alert for domain trust enumeration.
- Test 4Certutil Download Cradle from WSUS Context
Expected signal: Sysmon Event ID 1 for certutil.exe with -urlcache and -f arguments; Sysmon Event ID 11 for file creation at C:\Windows\Temp\wsus_test_artifact.txt; Windows Defender SmartScreen or AMSI telemetry if enabled; EDR network event for loopback HTTP connection from certutil.exe.
Unlock Pro Content
Get the full detection package for CVE-2025-59287 including response playbook, investigation guide, and atomic red team tests.