[FALSE-POSITIVE] CVE-2025-59287 #15360
Description
Template IDs or paths
https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-59287.yamlEnvironment
Steps To Reproduce
This template checks if the service responds, not if it has an exact vulnerability.
I think nuclei should send payload, then check for a response with true. Additionally, an interact.sh approach would also eliminate FPs.
When I run PoC on "vulnerable" target from: https://github.com/M507/CVE-2025-59287-PoC
python3 PoC.py --target-url URL --cve CVE-2025-59287 --debug
I get the following output:
[DEBUG] send_test_event status: 200
[DEBUG] send_test_event body: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><GetRollupConfigurationResponse xmlns="http://www.microsoft.com/SoftwareDistribution"><GetRollupConfigurationResult><DoDetailedRollup>true</DoDetailedRollup><RollupResetGuid>a52f0dcd-4a49-42c6-a8d2-b8db27e68fd7</RollupResetGuid><ServerId>a88c0095-31f7-47a6-b429-fb434e8ff37e</ServerId><RollupDownstreamServersMaxBatchSize>5000</RollupDownstreamServersMaxBatchSize><RollupComputersMaxBatchSize>1500</RollupComputersMaxBatchSize><GetOutOfSyncComputersMaxBatchSize>20000</GetOutOfSyncComputersMaxBatchSize><RollupComputerStatusMaxBatchSize>500</RollupComputerStatusMaxBatchSize><ProtocolVersion>1.20</ProtocolVersion></GetRollupConfigurationResult></GetRollupConfigurationResponse></soap:Body></soap:Envelope>
[+] Server ID: a88c0095-31f7-47a6-b429-fb434e8ff37e
[+] Auth cookie with Server ID...
[DEBUG] get_reporting_cookie -> url: http://<REDACTED>/SimpleAuthWebService/SimpleAuth.asmx
[DEBUG] send_test_event status: 200
[DEBUG] send_test_event body: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><GetAuthorizationCookieResponse xmlns="http://www.microsoft.com/SoftwareDistribution/Server/SimpleAuthWebService"><GetAuthorizationCookieResult><PlugInId>SimpleTargeting</PlugInId><CookieData>dMMgpZAX4ivYfXMWUjoPBPFKNuUXX/B7N3UI+T1bSDNtf77N9CoeJfnSqaijQmd91FUAPw7Dmo4ZOLwz9zJjbgX/97OzQj36NowbeUmgkBj/I4HbZP7Uxsl1QluXrqkqJqXMZWznOSUUHYFHP5RDUNnAwVk1OS4jm6KsBWznsV1yC2s6HYNFvtS5wr7GRcu6FuFIxNMEctkwmiai/ejE3Sw+Z6unSL99oxpImgOtwZRsiIDPJArLDGBh/ajoWeo6x4YGnmXWQYsI7q+50A5ikrltt3VED4ePW59KtO8h77hEmbOW2+T2six+MRE5Iunk2Z8POBFbnHiTk9sq5/OGFyhTIcwss+/hINoNjRxzbNkXpFAt7Rhn+fXOLuQEH+3hN72PzzJtzxFKGMwcnvH4WV2ft3X4Rshg1q3gnBMxlbCxvnIPERXEUsknbx2I2MSBaBa+mREjtOWKDpd8Me/ly/LGuqb1XvprmnpgngYp33j0rWquGseg1gBtJwtO1F7d6oNmbg5qFmfA82e2KNOVglsUApNiTNOe3GQWmCXENpJvHJe5LLfg549kj1BWZWG7WLkz4I/Gte6SWpuQRhWfVz4TEtbHNGGsxPUKsaqkfCwL/8vLtrOhwyt6Y/+XMlQrAt9M/u7qhjnoAKhlR1U6pg==</CookieData></GetAuthorizationCookieResult></GetAuthorizationCookieResponse></soap:Body></soap:Envelope>
[+] Using ID: a88c0095-31f7-47a6-b429-fb434e8ff37e
[DEBUG] get_reporting_cookie -> url: http://<REDACTED>/ClientWebService/Client.asmx
[DEBUG] send_test_event status: 200
[DEBUG] send_test_event body: <s:Envelope xmlns:s="http://schemas.xmlsoap.org/soap/envelope/"><s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><GetCookieResponse xmlns="http://www.microsoft.com/SoftwareDistribution/Server/ClientWebService"><GetCookieResult><Expiration>2026-02-16T13:29:04.9843564Z</Expiration><EncryptedData>Ux1Oz3R282Fb2AMJOQO+T3wL6NT8ojCOa1CSoqsyZTVWQF/Vrp6a1DsiBJ9b3tbCydcqZeW1L82JYa8YbxRHnZJQTwRDXK0qSRHqesthzYRmeXKbhHWqy9UOhZ9cAynvNxqvRa4tnJt8hBwfriZ6YgONLz7d95B/jubHN/qgAbRo2cANagh+iLtm82C2ShkbTetmd+uKFh9/yFtxPxZPWv6o+1Gs5B6K3lwwF+1eupgUBDZ+aRkx5SJ/jR6Cp592YvPbvG9lC+7lPsjnQXNWZRLs11p+YBEXrCUR4lR91Xc=</EncryptedData></GetCookieResult></GetCookieResponse></s:Body></s:Envelope>
[+] Sending event with payload...
[DEBUG] send_test_event status: 200
[DEBUG] send_test_event body: <?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><ReportEventBatchResponse xmlns="http://www.microsoft.com/SoftwareDistribution"><ReportEventBatchResult>false</ReportEventBatchResult></ReportEventBatchResponse></soap:Body></soap:Envelope>
[-] Failed to send Test event
Relevant dumped responses
Last Nuclei request and response.
[INF] [CVE-2025-59287] Dumped HTTP request for https://<REDACTED>/ReportingWebService/ReportingWebService.asmx
POST /ReportingWebService/ReportingWebService.asmx HTTP/1.1
Host: <REDACTED>
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36
Content-Length: 1789
Accept: text/xml
Connection: keep-alive
Content-Type: text/xml
SOAPAction: "http://www.microsoft.com/SoftwareDistribution/ReportEventBatch"
Accept-Encoding: gzip
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/">
<soap:Body>
<ReportEventBatch xmlns="http://www.microsoft.com/SoftwareDistribution">
<cookie>
<Expiration>2026-02-16T13:31:27Z</Expiration>
<EncryptedData>+fUcSg97pInnA88e+xpmqcsO2IFnInLIIhHQRgXSNdDgR4lPBFX38DabyfHjpbVaHI4qQc1H82KmUwhzVb56tWFBz2OErZ7s7lsa69JpPCPQ5T2pT3c1/OAkwT8lJuqTLkHipFvDmVd/jyDeXTeQX1w+EeeCuHmwyJQfZWsa9h7VbPuOOF3iLBwGu9Ey7z/3zSJMdVE/lw3SfXQbsrkeUnZjkMwbErOWS1OqabbZtP5rrA6bBU97fKY1LAnq2tQn3wzyCqLZ/yASQQcsLyrknI6/q5j198I2P4vQCX3r8cs=</EncryptedData>
</cookie>
<clientTime>2026-02-16T13:31:27Z</clientTime>
<eventBatch xmlns:q1="http://www.microsoft.com/SoftwareDistribution" soapenc:arrayType="q1:ReportingEvent[1]">
<ReportingEvent>
<BasicData>
<TargetID>
<Sid>549743e5-8546-4f9d-b946-7948711f7b69</Sid>
</TargetID>
<SequenceNumber>0</SequenceNumber>
<TimeAtTarget>2025-10-29T08:41:54.069</TimeAtTarget>
<EventInstanceID>a0ce0892-6046-4f21-856e-69ffa43876b9</EventInstanceID>
<NamespaceID>2</NamespaceID>
<EventID>389</EventID>
<SourceID>301</SourceID>
<UpdateID>
<UpdateID>00000000-0000-0000-0000-000000000000</UpdateID>
<RevisionNumber>0</RevisionNumber>
</UpdateID>
<Win32HResult>0</Win32HResult>
<AppName>LocalServer</AppName>
</BasicData>
<ExtendedData>
<MiscData soapenc:arrayType="xsd:string[2]">
<string>Administrator=SYSTEM</string>
<string>39kfetawIYOxEwXhXQvlI2XTTpt</string>
</MiscData>
</ExtendedData>
<PrivateData>
<ComputerDnsName></ComputerDnsName>
<UserAccountName></UserAccountName>
</PrivateData>
</ReportingEvent>
</eventBatch>
</ReportEventBatch>
</soap:Body>
</soap:Envelope>
[DBG] [CVE-2025-59287] Dumped HTTP response https://<REDACTED>/ReportingWebService/ReportingWebService.asmx
HTTP/1.1 200 OK
Cache-Control: private, max-age=0
Content-Type: text/xml; charset=utf-8
Date: Mon, 16 Feb 2026 12:31:27 GMT
Server: Microsoft-IIS/10.0
Vary: Accept-Encoding
X-Aspnet-Version: 4.0.30319
X-Powered-By: ASP.NET
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><ReportEventBatchResponse xmlns="http://www.microsoft.com/SoftwareDistribution"><ReportEventBatchResult>true</ReportEventBatchResult></ReportEventBatchResponse></soap:Body></soap:Envelope>Anything else?
No response