Date: 10/28/2025
Severity: High
Summary
In October 2025, a critical remote code execution (RCE) vulnerability in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287 (CVSS 9.8), was discovered. The flaw allows unauthenticated remote attackers to execute code with system-level privileges on affected servers. Although Microsoft initially released a fix on October Patch Tuesday, the issue persisted, leading to an emergency out-of-band patch on October 23, 2025. Within hours, active exploitation was detected by researchers, prompting CISA to add the vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog the next day. Organizations are urged to apply patches immediately or use Microsoft’s recommended temporary mitigations to reduce exposure.
Indicators of Compromise (IOC) List
URLs/Domains | webhook.site ysoserial.net http://schemas.xmlsoap.org/soap/encoding/ http://schemas.xmlsoap.org/soap/envelope/ http://webhook.site/22b6b8c8-2e07-4878-a681-b772e569aa6a https://host:8531/ClientWebService/client.asmx |
IP Address | 207.180.254.242 |
Hash | f7d8c52bec79e42795cf15888b85cbad
ac7351b617f85863905ba8a30e46a112a9083f4d388fd708ccfe6ed33b5cf91d
|
Hostname | schemas.xmlsoap.org |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "ysoserial.net" or siteurl like "ysoserial.net" or url like "ysoserial.net" or domainname like "webhook.site" or siteurl like "webhook.site" or url like "webhook.site" or domainname like "http://schemas.xmlsoap.org/soap/encoding/" or siteurl like "http://schemas.xmlsoap.org/soap/encoding/" or url like "http://schemas.xmlsoap.org/soap/encoding/" or domainname like "http://schemas.xmlsoap.org/soap/envelope/" or siteurl like "http://schemas.xmlsoap.org/soap/envelope/" or url like "http://schemas.xmlsoap.org/soap/envelope/" or domainname like "http://webhook.site/22b6b8c8-2e07-4878-a681-b772e569aa6a" or siteurl like "http://webhook.site/22b6b8c8-2e07-4878-a681-b772e569aa6a" or url like "http://webhook.site/22b6b8c8-2e07-4878-a681-b772e569aa6a" or domainname like "https://host:8531/ClientWebService/client.asmx" or siteurl like "https://host:8531/ClientWebService/client.asmx" or url like "https://host:8531/ClientWebService/client.asmx" |
Detection Query 2 : | dstipaddress IN ("207.180.254.242") or srcipaddress IN ("207.180.254.242") |
Detection Query 3 : | md5hash IN ("f7d8c52bec79e42795cf15888b85cbad")
|
Detection Query 4 : | sha256hash IN ("ac7351b617f85863905ba8a30e46a112a9083f4d388fd708ccfe6ed33b5cf91d")
|
Detection Query 5 : | hostname like "schemas.xmlsoap.org" |
Reference:
https://unit42.paloaltonetworks.com/microsoft-cve-2025-59287/
https://research.eye.security/wsus-deserialization-exploit-in-the-wild-cve-2025-59287/
https://thehackernews.com/2025/10/microsoft-issues-emergency-patch-for.html
https://otx.alienvault.com/pulse/68fed1695bc65f033e2caf53
https://otx.alienvault.com/pulse/68fdeb6429e4b01632426b64