Critical WSUS Vulnerability Exploited for ShadowPad Deployment

Security researchers have uncovered a sophisticated cyberattack targeting Microsoft Windows Server Update Services (WSUS) infrastructure. The attackers exploited a critical remote code execution vulnerability, CVE-2025-59287, to deploy ShadowPad, a backdoor malware linked to state-sponsored APT groups. The vulnerability allows remote code execution with system-level privileges, making WSUS servers high-value targets. The attackers rapidly weaponized the vulnerability after proof-of-concept exploit code became publicly available, using legitimate Windows utilities to install the malware. Organizations are urged to apply the security update from Microsoft and audit their WSUS server exposure.

Latest mentioned: 11-21

Earliest mentioned: 11-19

Sources

gbhackers.com ahnlab.com securityonline.info

Also Read

Water Gamayun APT Exploits MSC EvilTwin Vulnerability

Water Gamayun, an advanced persistent threat group, has launched a new multi-stage intrusion campaign exploiting the MSC EvilTwin vulnerability in Windows MMC. The attack begins with a compromised Bing search result leading to a lookalike domain, which offers a double-extension RAR file disguised as a PDF. Opening this file triggers the exploitation of CVE-2025-26633, injecting malicious code into mmc.exe. The attack chain involves heavily obfuscated PowerShell scripts, a .NET class to hide console windows, and the final payload, iTunesC.exe, which installs backdoors or information-stealing malware. The campaign is attributed to Water Gamayun based on their distinctive PowerShell obfuscation patterns, infrastructure design, and social engineering themes.

11-26Read more →