Emerging Threathighexperimental
Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
Detects cast exceptions in Windows Server Update Services (WSUS) application logs that highly indicate exploitation attempts of CVE-2025-59287, a deserialization vulnerability in WSUS.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Swachchhanda Shrawan Poudel (Nextron Systems)Created Fri Oct 31e5f66e87-7d6b-404f-92fe-7aa67814b5cd2025
Emerging Threat
Active Threat
Developed to detect an active or emerging threat. Prioritize investigation of any alerts and correlate with threat intelligence.
Log Source
Windowsapplication
ProductWindows← raw: windows
Serviceapplication← raw: application
Detection Logic
Detection Logic1 selector
detection:
selection:
Provider_Name: 'Windows Server Update Services'
EventID: 7053
Data|contains|all:
# Indicators of untrusted deserialization exploitation attempts
# https://github.com/pwntester/ysoserial.net/issues/114
- 'System.InvalidCastException'
- 'System.Windows.Data.ObjectDataProvider'
- 'Unable to cast object of type'
- 'System.Windows.Media.Brush'
condition: selectionFalse Positives
Legitimate WSUS operations that may trigger similar error messages
MITRE ATT&CK
Other
cve.2025-59287detection.emerging-threats
Rule Metadata
Rule ID
e5f66e87-7d6b-404f-92fe-7aa67814b5cd
Status
experimental
Level
high
Type
Emerging Threat
Created
Fri Oct 31
Path
rules-emerging-threats/2025/Exploits/CVE-2025-59287/win_wsus_exploit_cve_2025_59287.yml
Raw Tags
attack.executionattack.initial-accessattack.t1190attack.t1203cve.2025-59287detection.emerging-threats