- Chinese state-sponsored actors exploit CVE-2025-59287, a critical WSUS flaw that allows unauthorized RCE with SYSTEM privileges
- AhnLab reports attackers using PowerCat and certutil/curl to implement ShadowPad, a PlugX successor backdoor
- Likely targets include government, defense, telecommunications and critical infrastructure
Chinese state-sponsored threat actors are reportedly actively exploiting a vulnerability in Microsoft Windows Server Update Services (WSUS) to spread malware, experts have warned.
As part of the October 2025 Patch Tuesday cumulative update, Microsoft addressed CVE-2025-59287, a “deserialization of untrusted data” flaw found in the Windows Server Update Service (WSUS). The flaw was given a severity score of 9.8/10 (Critical) as it apparently allows for remote code execution (RCE) attacks. It can be abused in low-complexity attacks without user interaction, giving unauthorized, unprivileged threat actors the ability to run malicious code with SYSTEM privileges. In theory, this would allow them to pivot and infect other WSUS servers as well.
Soon after, publicly available proof-of-concept (PoC) code was discovered, prompting Microsoft to also release an out-of-band (OOB) security update.
Used for ShadowPad deployment
Now, security researchers from the AhnLab Security Intelligence Center (ASEC) said they are seeing attacks against unpatched endpoints, suggesting it is the work of the Chinese.
“The attacker targeted Windows servers with WSUS enabled and exploited CVE-2025-59287 for initial access,” the report reads. “They then used PowerCat, an open source PowerShell-based Netcat tool, to obtain a system shell (CMD). They then downloaded and installed ShadowPad using certutil and curl.”
ShadowPad is reportedly a successor to PlugX, a modular backdoor that was “widely used” by Chinese state-sponsored hacking collectives. It is implemented on metering endpoints via DLL pageloading through a legitimate binary named ETDCtrlHelper.exe.
We do not know how many companies were targeted through WSUS, where they are or in what industries they operate. But if it is the work of the Chinese, it is either against the government, military and defense, telecommunications or critical infrastructure.
“After the proof-of-concept (PoC) exploit code for the vulnerability was publicly released, attackers quickly weaponized it to distribute the ShadowPad malware via WSUS servers,” AhnLab said. “This vulnerability is critical because it allows remote code execution with system-level permission, significantly increasing the potential impact.”
WSUS allows IT administrators to manage patch computers on their network.
Via Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
