CVE2025

CVE-2025-59287

2Rules

5References

1Folders

2025-10-31Latest

Summary

CVE-2025-59287 is tracked here through 2 Sigma detections for exploitation attempts and related post-exploitation behavior observed in 2025. Coverage centers on windows / application, windows / process_creation.

Related Detections

Search this threat

Emerging Threathighexperimental

Exploitation Activity of CVE-2025-59287 - WSUS Deserialization

Detects cast exceptions in Windows Server Update Services (WSUS) application logs that highly indicate exploitation attempts of CVE-2025-59287, a deserialization vulnerability in WSUS.

Windowsapplication

TA0002 · ExecutionTA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationT1203 · Exploitation for Client Execution+2

Swachchhanda Shrawan Poudel (Nextron Systems)Fri Oct 312025

Emerging Threathighexperimental

Exploitation Activity of CVE-2025-59287 - WSUS Suspicious Child Process

Detects the creation of command-line interpreters (cmd.exe, powershell.exe) as child processes of Windows Server Update Services (WSUS) related process wsusservice.exe. This behavior is a key indicator of exploitation for the critical remote code execution vulnerability such as CVE-2025-59287, where attackers spawn shells to conduct reconnaissance and further post-exploitation activities.

WindowsProcess Creation

TA0002 · ExecutionTA0001 · Initial AccessT1190 · Exploit Public-Facing ApplicationT1203 · Exploitation for Client Execution+2

Huntress Labs+1Fri Oct 312025

References

Resolving title…

unit42.paloaltonetworks.com

unit42.paloaltonetworks.com