WSUS CVE-2025-59287: Unit 42 Technical Analysis and Hunting Queries
Palo Alto Networks Unit 42 details active exploitation of CVE-2025-59287, including process chains indicating cmd.exe and powershell.exe spawned by wsusservice.exe/w3wp.exe, and exfiltration to Webhook.site. Provides XQL hunting queries and mitigation steps.
CORTEX Protocol Intelligence Assessment
Business Impact: Unauthenticated remote code execution on WSUS servers threatens enterprise-wide compromise. Technical Context: Unsafe deserialization in AuthorizationCookie and ReportingWebService using BinaryFormatter/SoapFormatter.
Strategic Intelligence Guidance
- Deploy OOB patch; disable WSUS role temporarily if needed
- Block 8530/8531 externally; restrict to internal VLANs
- Run Unit 42 XQL hunts for process chains and egress IOCs
- Review web server logs for exploit patterns and webhook exfiltration
CVEs
Vendors
Threats
Targets
Impact
Data Volume:N/A
Financial:N/A
Intelligence Source: Microsoft WSUS Remote Code Execution (CVE-2025-59287) Actively Exploited in the Wild | Oct 28, 2025