Indicators of Compromise (IOCs)

Created on 2025-10-26 07:32, updated on 2025-10-26 07:32, by Cédric Bonhomme
JSON CVE-2025-59287

Check SoftwareDistribution.log for:

  • SoapUtilities.CreateException ThrowException: actor = https://host:8531/ClientWebService/client.asmx -> Error thrown in SoftwareDistribution.log after exploitation
  • AAEAAAD/////AQAAAAAAAAAEAQAAAH9 -> Part of the serialized payload, found in SoftwareDistribution.log
  • 207.180.254[.]242 – VPS from which the exploit was sent
  • ac7351b617f85863905ba8a30e46a112a9083f4d388fd708ccfe6ed33b5cf91d – SHA256 hash of embedded MZ payload
Meta
[
  {
    "ref": [
      "https://research.eye.security/wsus-deserialization-exploit-in-the-wild-cve-2025-59287/"
    ]
  }
]