Google: Microsoft WSUS Attacks Strike Multiple Organizations

A critical security flaw within Microsoft’s Windows Server Update Services (WSUS) is now under active attack, posing a severe risk to organizations globally. Identified as CVE-2025-59287, this remote code execution vulnerability affects Windows Server versions from 2012 through 2025 and has been added to the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog. Despite Microsoft’s initial patch released on October’s Patch Tuesday failing to fully resolve the issue, an emergency update was deployed late last week. Security researchers report that exploitation attempts began almost immediately afterward.

Microsoft currently lists the vulnerability as not publicly disclosed or exploited, rating it only as “exploitation more likely.” However, the Google Threat Intelligence Group (GTIG) has confirmed it is actively investigating attacks by a newly identified threat actor, UNC6512, across multiple victim organizations. According to GTIG, following initial access, the attackers execute commands to perform reconnaissance on compromised hosts and their environments, followed by data exfiltration.

The vulnerability arises from the insecure deserialization of untrusted data, enabling unauthenticated attackers to run arbitrary code on vulnerable systems. Only servers with the WSUS role enabled are affected. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, stated, “We are seeing about 100,000 hits for exploitation of this bug within the last seven days.” He further noted that scans reveal just under 500,000 internet-facing servers with WSUS enabled. Due to the bug’s nature, he expects nearly every vulnerable server to be targeted eventually, with current attacks appearing indiscriminate across sectors and regions.

The potential impact is described as catastrophic for downstream entities, particularly when WSUS is exposed to the internet, contrary to default configurations. According to Justin Moore, senior manager of threat intelligence research at Palo Alto Networks’ Unit 42, while the number of exposed WSUS servers is limited, the consequences of compromise are severe. Attackers are targeting publicly exposed WSUS instances on default TCP ports 8530 and 8531. After gaining access, they run PowerShell commands, such as whoami, net user /domain, and ipconfig /all, to gather internal network information, which is then exfiltrated to attacker-controlled endpoints.

Moore emphasized that the low attack complexity and availability of a proof-of-concept make this flaw attractive to opportunistic threat actors. At least one proof-of-concept has been circulating since October 21. Although only system information exfiltration has been observed so far, the ultimate objective is likely to use the compromised server to distribute malicious updates across enterprises, maximizing damage.

Childs had previously warned that this vulnerability would be targeted, noting that the initial incomplete patch increased risks by creating a false sense of security. He stressed the need for accountability, not only for patches that disrupt functionality but also for those that fail to fully address documented security issues. The situation underscores the persistent challenge of ensuring comprehensive vulnerability management in complex enterprise environments.

(Source: The Register)