At least 50 organizations have been impacted by attacks targeting a critical vulnerability in Windows Server Update Service, with most of them located in the U.S., according to researchers at cybersecurity firm Sophos.
The vulnerability, tracked as CVE-2025-59287, involves deserialization of untrusted data. A security update issued by Microsoft in mid-October failed to provide adequate protection, and Microsoft issued an emergency out-of-band patch late last week to address the problem.
Sophos’s own telemetry picked up six incidents linked to the exploitation activity, and additional intelligence gathered by researchers shows at least 50 victims, the company told Cybersecurity Dive.
“It’s possible this was an initial test or reconnaissance phase, and that attackers are now analyzing the data they’ve gathered to identify new opportunities for intrusion,” Rafe Pilling, director of threat intelligence at Sophos, told Cybersecurity Dive in an emailed statement.
WSUS is widely used by IT administrators to manage product updates from Microsoft.
Most of the impacted organizations are in the U.S., including technology firms, universities, manufacturers and healthcare organizations, according to a LinkedIn post by Pilling.
Google Threat Intelligence Group researchers previously linked the exploitation to a hacker they are tracking as UNC6512. After gaining initial access, the threat actor has conducted reconnaissance activities on the compromised host and in related environments. It also exfiltrated data.
Researchers at Eye Security said they have identified two different actors engaged in exploitation, based on their analysis that expands on threat research released last week from Huntress Labs.
Sophos first identified threat activity against its own customers starting Oct. 24, one day after Microsoft issued the out-of-band patch.
The Cybersecurity and Infrastructure Security Agency last week added the flaw to its Known Exploited Vulnerabilities catalog. The agency this week urged security teams to urgently apply the Microsoft patches and check their systems for compromise.
