Google Threat Intelligence Group is investigating a series of attacks linked to a hacker targeting a critical vulnerability in Windows Server Update Service, Cybersecurity Dive has learned.
Threat activity has ramped up since last week after a proof of concept for the untrusted data vulnerability in WSUS, the service widely used to manage the deployment of Microsoft product updates.
“We are actively investigating the exploitation of CVE-2025-59287 by a newly identified threat actor we are tracking as UNC6512 across multiple victim organizations,” GTIG researchers told Cybersecurity Dive.
After gaining initial access into targeted systems, the hacker has done reconnaissance on the compromised host and related environments, according to researchers. The hacker has also exfiltrated data from impacted hosts, according to GTIG.
The threat activity confirms prior observations from security firms, including Huntress Labs, which reported exploitation activity across at least four customer environments late last week.
Microsoft issued a patch to address the vulnerability earlier in the month, but the software update was ineffective. Researchers at HawkTrace released a proof-of-concept related to the vulnerability.
Researchers at Eye Security last week were alerted by suspicious activity picked up by endpoint detection and response telemetry and realized there was an active threat. They were able to replicate the proof of concept and warned various security partners and government agencies about the risk of exposing WSUS to the internet.
Eye Security researchers believe more than one variant is targeting the vulnerability, based on a comparison of TTPs with the information released by Huntress.
“So at least two adversaries are exploiting it since last Friday,” an Eye Security spokesperson told Cybersecurity Dive.
Meanwhile, researchers at Palo Alto Networks Unit 42 said they have confirmed exploitation involving the use of malicious PowerShell commands. Commands are being issued to conduct intelligence, map the internal domain structure and search for high-value user accounts.
Shadowserver reported about 2,800 instances that were exposed to the flaw, however researchers were still working to determine how many were specifically vulnerable.
The Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalog and urged WSUS users to immediately implement the patch and follow mitigation guidance from Microsoft.
CISA told Cybersecurity Dive over the weekend there was no evidence of federal agencies being impacted, but they urged outside organizations to report any suspicious activity.
“CISA’s operational collaboration with Microsoft and our stakeholders continues around CVE-2025-59287 to ensure timely mitigation guidance and protect critical systems,” Nick Andersen, executive assistant director for the Cybersecurity Division told Cybersecurity Dive. “Cybersecurity is not static—it’s about constant coordination, rapid response, and shared action.”
