- Chinese state-sponsored actors are exploiting CVE-2025-59287, a critical WSUS flaw enabling unauthenticated RCE with SYSTEM privileges
- AhnLab reports attackers using PowerCat and certutil/curl to deploy ShadowPad, a PlugX successor backdoor
- Likely targets include government, defense, telecom, and critical infrastructure sectors
Chinese state-sponsored threat actors are reportedly actively exploiting a vulnerability in the Microsoft Windows Server Update Services (WSUS), to spread malware, experts have warned.
As part of its October 2025 Patch Tuesday cumulative update, Microsoft addressed CVE-2025-59287, a “deserialization of untrusted data” flaw found in Windows Server Update Service (WSUS). The flaw was given a severity score of 9.8/10 (critical), as it apparently allows for remote code execution (RCE) attacks. It can be abused in low-complexity attacks, without user interaction, granting unauthenticated, unprivileged threat actors the ability to run malicious code with SYSTEM privileges. In theory, it would allow them to pivot and infect other WSUS servers, too.
Soon after, a publicly available proof-of-concept (PoC) code was spotted, prompting Microsoft to release an out-of-band (OOB) security update, as well.
Used for ShadowPad deployment
Now, security researchers from AhnLab Security Intelligence Center (ASEC) said they’re seeing attacks against unpatched endpoints, hinting that it’s the work of the Chinese.
“The attacker targeted Windows Servers with WSUS enabled, exploiting CVE-2025-59287 for initial access,” the report reads. “They then used PowerCat, an open-source PowerShell-based Netcat utility, to obtain a system shell (CMD). Subsequently, they downloaded and installed ShadowPad using certutil and curl.”
ShadowPad is reportedly a successor to PlugX, a modular backdoor which was “widely used” by Chinese state-sponsored hacking collectives. It is deployed on target endpoints via DLL side-loading, through a legitimate binary named ETDCtrlHelper.exe.
We don’t know how many companies were targeted through WSUS, where they are, or in which industries they operate. However, if it’s the work of the Chinese, it’s either against the government, military and defense, telecommunications, or critical infrastructure.
“After the proof-of-concept (PoC) exploit code for the vulnerability was publicly released, attackers quickly weaponized it to distribute ShadowPad malware via WSUS servers,” AhnLab said. “This vulnerability is critical because it allows remote code execution with system-level permission, significantly increasing the potential impact.”
WSUS allows IT admins to manage patching computers within their network.
Via The Hacker News
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
