A proof-of-concept (PoC) exploit has been released for a critical vulnerability in Microsoft’s Windows Server Update Services (WSUS), enabling unauthenticated attackers to execute remote code with SYSTEM privileges on affected servers.

Dubbed CVE-2025-59287 and assigned a CVSS v3.1 score of 9.8, the flaw stems from unsafe deserialization of untrusted data in WSUS’s AuthorizationCookie handling.

Disclosed as part of Microsoft’s October 2025 Patch Tuesday, this vulnerability poses severe risks to enterprise update infrastructures, potentially allowing widespread compromise.​

WSUS is a server role in Windows Server that helps IT administrators deploy Microsoft updates across networks, ensuring systems remain patched and secure.

Despite being deprecated for new features, WSUS remains widely used in production environments and receives ongoing security support.

The vulnerability affects all supported Windows Server versions from 2012 to 2025, where the GetCookie() endpoint processes encrypted AuthorizationCookie objects without adequate validation.​

At its core, CVE-2025-59287 exploits a deserialization issue in the EncryptionHelper.DecryptData() method. Incoming cookie data, encrypted with AES-128-CBC, is decrypted and then passed directly to .NET’s BinaryFormatter for deserialization.

This legacy serializer lacks type restrictions, allowing attackers to craft malicious payloads that trigger arbitrary code execution upon processing. Microsoft classified the flaw as “Exploitation More Likely,” highlighting its wormable potential across networked WSUS servers.​

The Attack Flow and PoC

The exploit begins with an unauthenticated HTTP POST request to the WSUS ClientWebService endpoint on port 8530. Attackers send a SOAP envelope containing a tampered AuthorizationCookie with a PlugInId of “SimpleTargeting” and encrypted payload data.

The server decrypts the cookie using a hardcoded key (“877C14E433638145AD21BD0C17393071”), strips the IV block, and deserializes the result via BinaryFormatter.​

A publicly available PoC, shared by researcher “hawktrace” on GitHub, demonstrates payload generation in C#. It serializes a malicious delegate to launch “calc.exe” or similar commands, encrypts it without padding, and outputs a Base64-encoded string for the SOAP request.

The trace reveals the call chain from Client.GetCookie() through AuthorizationManager to DecryptData(), where the deserialization occurs under SYSTEM context. No user interaction is needed, making it highly dangerous for exposed WSUS instances.​

This RCE could enable supply-chain attacks, where compromised WSUS servers distribute malicious updates to clients. While no active exploits in the wild have been reported, the PoC’s availability increases the urgency for patching.

Microsoft credits researcher “MEOW” for the discovery and urges immediate application of the October 2025 security updates via Windows Update or WSUS itself.​

Organizations should isolate WSUS servers, enable firewalls to restrict access, and monitor for anomalous SOAP traffic. Long-term, Microsoft recommends migrating away from BinaryFormatter to safer alternatives like JSON or XML serializers with strict validation.

As WSUS underpins critical update mechanisms, delaying patches risks broad network breaches in an era of escalating ransomware and nation-state threats.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post PoC Exploit Released for Windows Server Update Services Remote Code Execution Vulnerability appeared first on Cyber Security News.

A new tool called DefenderWrite exploits whitelisted Windows programs to bypass protections and write arbitrary files into antivirus executable folders, potentially enabling malware persistence and evasion.

Developed by cybersecurity expert Two Seven One Three, the tool demonstrates a novel technique for penetration testers and red teams to drop payloads in highly protected locations without needing kernel-level access.​

This development highlights ongoing challenges in antivirus self-protection mechanisms, where folders housing AV executables are typically shielded from modifications to prevent tampering.

By identifying system programs that antivirus vendors whitelist for updates and installations, attackers can leverage these exceptions to inject malicious DLLs, turning the AV’s own safeguards against it.

The tool’s release, shared via GitHub, has sparked discussions on the balance between operational necessities for AV software and security risks in enterprise environments.​

Exploiting Whitelisted Programs for Arbitrary Writes

The core innovation behind DefenderWrite lies in systematically scanning Windows executables to find those permitted to access AV folders.

By enumerating all .exe files in directories like C:\Windows, then use process creation and remote DLL injection to test write capabilities into protected paths.

A custom DLL performs the file write operation and reports success or failure, allowing the tool to pinpoint exploitable processes like msiexec.exe without triggering defenses.​

In testing on Windows 11 24H2 with Microsoft Defender version 4.18.25070.5-0, the method identified four such programs: msiexec.exe, Register-CimProvider.exe, svchost.exe, and lsass.exe.

For instance, launching msiexec.exe and injecting the DLL enables writing a file directly into Defender’s installation directory, as demonstrated in lab experiments.

This approach extends beyond Microsoft Defender; similar whitelisting vulnerabilities were confirmed in BitDefender, TrendMicro Antivirus Plus, and Avast, though specific details remain undisclosed to encourage independent verification.

DefenderWrite supports key parameters for targeted operations, including TargetExePath for the host executable, FullDLLPath for the injectable library, and FileToWrite for the destination path within the AV folder. An optional “c” flag simplifies copying the DLL to the specified location remotely.

Accompanying the binary is a PowerShell script, Run_Check.ps1, which automates scanning C:\Windows executables and logging whitelisted ones for further exploitation.

Users can customize the script for their environment, making it suitable for red team simulations or defensive assessments.

The GitHub repository provides full source code and documentation, emphasizing ethical use in authorized testing only. Two Seven One Three, active on X as @TwoSevenOneT, shares additional pentest insights and encourages community experiments to strengthen AV resilience.​

Once a malicious payload resides in an AV folder, it benefits from the same exceptions that shield legitimate files, evading scans and potentially achieving long-term persistence.

This technique underscores the need for vendors to audit whitelisting policies and implement stricter process isolation during updates. While not a zero-day vulnerability, DefenderWrite reveals systemic gaps that could aid real-world attacks if unaddressed.​

Organizations should monitor AV update mechanisms and consider layered defenses beyond traditional file permissions. With the tool’s open availability, expect broader adoption in security research circles to push for improved protections across popular antivirus solutions.​

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post New DefenderWrite Tool Let Attackers Inject Malicious DLLs into AV Executable Folders appeared first on Cyber Security News.