Cybersecurity researchers are sounding the alarm after discovering that hackers are actively exploiting a critical remote code execution (RCE) vulnerability in Microsoft’s Windows Server Update Services (WSUS).
The flaw, tracked as CVE-2025-59287, allows unauthenticated attackers to run arbitrary code on vulnerable servers, and evidence suggests that these attacks are being carried out manually, a technique known as “hands-on-keyboard” reconnaissance .
Attackers Wasting No Time
The activity was first detected by cybersecurity firm Eye Security, which received a critical alert from a customer’s WSUS system.
The alert showed that whoami.exe had been executed by the w3wp.exe process, a strong indicator of a malicious web shell.
Further investigation revealed a series of commands executed with several seconds between each, suggesting a human attacker rather than an automated script .
The vulnerability is a deserialization bug detailed in research by Hawktrace. While the initial proof-of-concept only demonstrated popping a calculator, attackers have already weaponized it for more malicious purposes.
Analysis of the attack logs showed a base64 encoded payload containing a .NET executable. This payload allows the attacker to execute commands passed through an HTTP request header, giving them control over the compromised server .
Thousands of Servers at Risk
This vulnerability is particularly concerning because WSUS servers are a cornerstone of network management for deploying updates across an organization. A compromise can lead to widespread intrusions, including ransomware deployment.
A scan of the internet revealed approximately 8,000 WSUS servers with ports 8530 or 8531 exposed, although it is unconfirmed how many are vulnerable.
In response to these active exploits, Microsoft has released an out-of-band patch, KB5070883, to address CVE-2025-59287 .
Security experts strongly urge all organizations to apply the patch immediately. Furthermore, they recommend ensuring that WSUS servers are not exposed to the public internet and that robust Endpoint Detection and Response (EDR) solutions are in place to monitor for suspicious activity.
Indicators of Compromise (IOCs)
| Field | Value |
|---|---|
| Error message | SoapUtilities.CreateException ThrowException: actor = https://host:8531/ClientWebService/client.asmx -> Error thrown in SoftwareDistribution.log after exploitation |
| Serialized payload fragment | AAEAAAD/////AQAAAAAAAAAEAQAAAH9 — Part of the serialized payload, found in SoftwareDistribution.log |
| Source IP (VPS) | 207.180.254[.]242 — VPS from which the exploit was sent |
| SHA256 (embedded MZ payload) | ac7351b617f85863905ba8a30e46a112a9083f4d388fd708ccfe6ed33b5cf91d |
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
