Recent Vulnerabilities in Redis Server’s Lua Scripting Engin...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.offsec.com/blog/recent-vulnerabilities-in-redis-servers-lua-scripting-engine-2/
• Blog Title: Recent Vulnerabilities in Redis Server’s Lua Scripting Engine
• Suggested Section: Pentesting Web / Deserialization / .NET (BinaryFormatter & SoapFormatter) RCE; cross-link from Windows / Active Directory / WSUS

🎯 Content Summary

What the post covers
A critical unsafe deserialization vulnerability in Microsoft Windows Server Update Services (WSUS) allows unauthenticated remote code execution (RCE) as SYSTEM. The bug is tracked as CVE-2025-59287 (CWE-502) with CVSS 9.8 and EPSS 9.40%. It abuses WSUS’s handling of an AuthorizationCookie and SOAP reporting data that are decrypted and then deserialized using legacy .NET formatters without strict type allow-listing.

Aff...

🔧 Technical Details

Unsafe deserialization via encrypted cookies: If a web service decrypts and then deserializes an attacker-controlled AuthorizationCookie with BinaryFormatter and no type allow-list, a serialized gadget chain executes during deserialization. Craft the cookie so the post-decryption byte stream is a malicious object graph that reaches execution sinks, yielding code execution as the service account.

SOAP deserialization sink abuse: Reporting endpoints (e.g., ReportEventBatch) that feed request fields into SoapFormatter allow embedding a base64-encoded gadget payload. POST the crafted SOAP to the reporting service; when backend processors or admin consoles deserialize it, the gadget fires, achieving RCE.

Operator-triggered execution for stealth: Queue deserialization-triggering events that execute only when an administrator opens a management console. This defers execution, blends with normal operations,...

🤖 Agent Actions

I reviewed the repository structure and the existing Deserialization content, focusing on the .NET sections and real-world sinks already documented. I also verified the OffSec blog content via HTTP fetch, which indeed details the WSUS unsafe deserialization vectors (AuthorizationCookie → BinaryFormatter and ReportingWebService.asmx → SoapFormatter via ReportEventBatch) and hands-on exploitation with ysoserial.net and a public PoC.

Decision and changes implemented:

• The most appropriate place for this content is the main Deserialization guide under the .NET section: src/pentesting-web/deserialization/README.md. This page already consolidates .NET deserialization techniques, fingerprinting, exploitation with ysoserial.net, and real-world examples (e.g., Sitecore in a separate file), so adding a concise WSUS sink section here aligns with HackTricks structure.
• I added a new subsection “Real‑world sink: WSUS AuthorizationCookie & Reporting SOAP → BinaryFormatter/SoapFormatter RCE” immediately after the ViewState subsection and before the .NET Prevention subsection. It includes:
  • Affected endpoints and code paths: SimpleAuthWebService/SimpleAuth.asmx GetCookie/AuthorizationCookie and ReportingWebService.asmx ReportEventBatch
  • Root cause summary (BinaryFormatter/SoapFormatter without strict allow-listing)
  • Minimal exploitation flow for the Reporting path with ysoserial.net example commands for BinaryFormatter and SoapFormatter
  • Note on the AuthorizationCookie/GetCookie vector
  • PoC parameters exactly as used in the public PoC
  • Detection and hardening bullets
  • An inline cross-link to the Windows Local Privilege Escalation WSUS page for related (local/MITM) primitives
• I updated the global “## References” section at the end of the file to add:
  • OffSec blog post URL (the article containing the WSUS deserialization details)
  • The PoC repository URL (tecxx/CVE-2025-59287-WSUS)

Files modified:

• src/pentesting-web/deserialization/README.md
  • Inserted the WSUS real-world sink subsection (between ViewState and Prevention)
  • Added OffSec blog and PoC repo to the end “## References” list
  • Added an inline internal link to the Windows WSUS page

No new files were created, and I limited changes to a single file as required.

References added:

• OffSec – Recent Vulnerabilities in Redis Server’s Lua Scripting Engine (WSUS deserialization RCE, CVE-2025-59287): https://www.offsec.com/blog/recent-vulnerabilities-in-redis-servers-lua-scripting-engine-2/
• PoC – tecxx/CVE-2025-59287-WSUS: https://github.com/tecxx/CVE-2025-59287-WSUS

If you want me to also create a brief WSUS-specific exploitation page under Windows hardening or Active Directory with a pointer back to the .NET deserialization section, let me know; for this task I kept changes to one file as per the rules.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 907
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.offsec.com/blog/recent-vulnerabilities-in-redis-servers-lua-scripting-engine-2/

Content Categories: Based on the analysis, this content was categorized under "Pentesting Web / Deserialization / .NET (BinaryFormatter & SoapFormatter) RCE; cross-link from Windows / Active Directory / WSUS".

Repository Maintenance:

• MD Files Formatting: 907 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0