Exploitation Activity of CVE-2025-59287 - WSUS Deserialization

Rule Info

Name
Exploitation Activity of CVE-2025-59287 - WSUS Deserialization
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects cast exceptions in Windows Server Update Services (WSUS) application logs that highly indicate exploitation attempts of CVE-2025-59287, a deserialization vulnerability in WSUS.
Reference
https://unit42.paloaltonetworks.com/cve-2025-59287/
Date
2025-10-31 00:00:00
Modified
None
Id
e5f66e87-7d6b-404f-92fe-7aa67814b5cd
Tags
attack.execution attack.initial-access attack.t1190 attack.t1203 cve.2025-59287 detection.emerging-threats
Type
Community Rule
Link to Public Repo
https://github.com/SigmaHQ/sigma/search?q=e5f66e87-7d6b-404f-92fe-7aa67814b5cd

Rule History

Author
Title
Date
Commit
Swachchhanda Shrawan Poudel
Merge PR #5731 from @swachchhanda000 - Add rules for CVE-2025-59287
2025-11-02
b65441821
THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022