Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process

    Monday, November 3, 2025 In: Threat Research Print

    Date: 11/03/2025

    Severity: Medium

    Summary

    Monitors for instances where command-line interpreters like cmd.exe or powershell.exe are spawned as child processes of the WSUS service (wsusservice.exe). This behavior strongly indicates potential exploitation of a critical remote code execution vulnerability, such as CVE-2025-59287, where attackers may launch shells to perform reconnaissance or additional malicious actions.

    Indicators of Compromise (IOC) List

    Processnames

    '\cmd.exe'

    '\powershell.exe'

    '\pwsh.exe'

    '\powershell_ise.exe'

    Parentprocessnames

    '\wsusservice.exe'

    '\w3wp.exe'

    Parentcommandlines

    'WsusPool'

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection 

    Detection Query 1 :

    (resourcename = "Windows Security" AND eventtype = "4688") AND (parentprocessname like "\wsusservice.exe" AND parentprocessname like "\w3wp.exe" AND parentcommandline like "WsusPool") AND processname IN ("cmd.exe","powershell.exe","pwsh.exe","powershell_ise.exe")

    Detection Query 2 :

    technologygroup = "EDR" AND (parentprocessname like "\wsusservice.exe" AND parentprocessname like "\w3wp.exe" AND parentcommandline like "WsusPool") AND processname IN ("cmd.exe","powershell.exe","pwsh.exe","powershell_ise.exe")

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2025/Exploits/CVE-2025-59287/proc_creation_win_exploit_cve_2025_59287.yml


    Tags

    SigmaVulnerabilityCVE-2025WSUSExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.