CVE-2025-59287 is a critical (CVSS 9.8) remote code execution vulnerability affecting ALL Microsoft Windows Server Update Services aka (WSUS), and has been exploited in the wild. The vulnerability exploits insecure deserialization in the GetCookie() endpoint, allowing unauthenticated attackers to execute arbitrary code with FULL SYSTEM privileges.
This rev shell poc is pretty easy to use! It accepts target URL, attacker IP, and port parameters, then constructs, encrypts, and sends a malicious payload. To intercept the reverse shell, use a listener like netcat, as an example nc -lvnp 4444.
- Compile, you can use https://github.com/mono/mono
- Start listener; example via netcat:
nc -lvnp 4444 - Run executable
- Follow prompts to input: Target, LIP, LPORT
- Profit.
- Payload Gen.: A PowerShell rev shell cmd is generated.
- Serialization: The payload is serialized via ysoserial.net using the
TypeConfuseDelegategadget. - Encryption: The serialized payload is encrypted using AES-128-CBC with a fixed key and randomly gen salt.
- Encoding: The encrypted bytes are base64-encoded.
- SOAP Request Construction: The encoded payload is embedded in a SOAP envelope within the
AuthorizationCookiefield.. - Transmission: The SOAP request is sent to the target's WSUS GetCookie endpoint.
- Outcome(Hopefully): If everything went well, the server decrypts and deserializes the payload, resulting in remote code execution thus providing a SYSTEM rev shell to us!
Always MAKE SURE YOU HAVE WRITTEN authorization before testing exploits like this. Use responsibly and legally!