Sophos researchers have identified real-world exploitation of a newly disclosed vulnerability in Windows Server Update Services (WSUS), where threat actors are harvesting sensitive data from organizations worldwide.
The critical remote code execution flaw, tracked as CVE-2025-59287, has become a prime target for attackers seeking to breach enterprise networks and extract valuable information without authentication requirements.
The vulnerability gained immediate attention after Microsoft released patches on October 14, 2025, followed by an emergency out-of-band update on October 23.
The publication of proof-of-concept code on GitHub accelerated the exploitation timeline, with threat actors beginning attacks just hours after the technical analysis became public.
Sophos Counter Threat Unit researchers detected the first abuse of this flaw on October 24 at 02:53 UTC, marking the beginning of a coordinated wave of attacks targeting internet-facing WSUS servers across multiple industries.
The exploitation wave spanned several hours and impacted customers in technology, healthcare, manufacturing, and educational sectors, predominantly based in the United States.
How Attackers Exploit the Vulnerability
The attack methodology observed by Sophos security researchers demonstrates sophisticated capabilities.
Threat actors leverage the deserialization bug to execute Base64-encoded PowerShell commands through nested cmd.exe processes running in IIS worker processes.
Once deployed, the malicious PowerShell script systematically harvests critical organizational data, including external IP addresses and port configurations, complete lists of Active Directory domain users, and detailed network interface configurations.
The harvested information is then exfiltrated to external webhook.site URLs under the threat actors’ control.
Researchers identified at least six incidents across Sophos customer environments, though preliminary analysis suggests approximately 50 victims may have been compromised.
When webhook.site upload attempts fail, the script automatically defaults to using the native curl command, ensuring successful data exfiltration regardless of initial connectivity issues.
Analysis of the public webhook.site URLs reveals sensitive dumps containing domain user information and network configurations from multiple universities, technology firms, manufacturing companies, and healthcare organizations.
The attackers’ choice to use free webhook.site services with visible request histories allowed researchers to document the full scope of exploitation activity.
Between October 24 at 02:53 UTC and 11:32 UTC, attackers hit the maximum 100-request limit on available webhook URLs, demonstrating the scale of reconnaissance activity targeting vulnerable systems.
Security experts and government agencies, including CISA and NSA, urge organizations to immediately implement protective measures.
This includes applying available patches to all WSUS installations, identifying internet-exposed WSUS servers, and restricting access to WSUS ports 8530 and 8531 through network segmentation and firewall policies. Organisations should also review logs for indicators of scanning and exploitation attempts.
The rapid exploitation of CVE-2025-59287 demonstrates how quickly threat actors mobilize to abuse newly disclosed vulnerabilities, making timely patching and network segmentation essential for organizational security postures.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
![Hackers Use "chatgpt5[.]zip" to Trick Users into Download Malware](https://cybernoz.com/wp-content/uploads/2023/07/Hackers-Use-chatgpt5zip-to-Trick-Users-into-Download-Malware.webp-360x270.jpeg "Hackers Use “chatgpt5[.]zip” to Trick Users into Download Malware")
