Skuld Infostealer Exploits WSUS Flaw (CVE-2025-59287)
▼ Summary
– Attackers are exploiting the WSUS vulnerability CVE-2025-59287 to deploy infostealer malware on unpatched Windows servers.
– The vulnerability allows remote, unauthenticated attackers to execute malicious code with the highest system privileges through unsafe deserialization.
– Exploitation has been observed across various industries, with victims primarily in the United States, and involves data exfiltration and reconnaissance.
– Attackers are opportunistically targeting any vulnerable internet-facing Windows Server with WSUS enabled, not specific organizations.
– Defenders should apply the emergency security patch for CVE-2025-59287 and investigate their networks for signs of threat activity.
A critical security flaw within Windows Server Update Services (WSUS), identified as CVE-2025-59287, is now being actively exploited by attackers to install information-stealing malware on vulnerable systems. This remote code execution vulnerability prompted Microsoft to issue an emergency, out-of-band patch last week. However, with a publicly available proof-of-concept exploit and the potential for the patch itself to be reverse-engineered, threat actors quickly developed their own tools to target unpatched, internet-facing Windows Servers.
Security firms were among the first to observe suspicious activity linked to this vulnerability. Analysts noted that the attacks in the wild were more sophisticated than the initial proof-of-concept, indicating the threat actors possessed capabilities beyond those of simple script kiddies. Incident responders from Huntress confirmed successful compromises where attackers executed commands for network reconnaissance, gathered and exfiltrated sensitive data, and prepared systems for lateral movement or credential harvesting.
The core of the vulnerability lies in the unsafe deserialization of untrusted data. Researchers have detailed multiple attack paths. One method involves sending a specially crafted request to the GetCookie() endpoint, which tricks the server into improperly deserializing an AuthorizationCookie object using the insecure BinaryFormatter. An alternative path targets the ReportingWebService to trigger unsafe deserialization via the SoapFormatter. In both scenarios, a remote, unauthenticated attacker can deceive the system into running malicious code with the highest level of system privileges, effectively granting them full control.
While initial reports suggested only a limited number of organizations were impacted, security experts anticipate that ransomware groups will likely begin leveraging this flaw. Sophos has detected the exploitation of the WSUS vulnerability across multiple customer environments in various industries, including technology, manufacturing, and healthcare. Although the specific exploit used wasn’t identified, researchers analyzed exfiltrated data sent to webhook.site URLs, which contained dumps of domain user and interface information from several universities and other organizations, with most victims based in the United States. Scans confirmed these public interfaces correlated to Windows servers with default WSUS ports 8530 and 8531 exposed to the internet.
Further analysis by threat research teams reveals a pattern of varied follow-up activities, demonstrating how a single CVE can be weaponized to achieve different malicious objectives. In one documented attack, investigators observed data being exfiltrated to webhook.site URLs. The attackers then downloaded the legitimate digital forensics and incident response (DFIR) tool Velociraptor, configuring it to establish a command and control tunnel. This was followed by the deployment of a malicious payload: a UPX-packed Windows binary containing the open-source Skuld Stealer. This infostealer is capable of harvesting a wide range of sensitive information, including cryptocurrency wallets, files, system details, browser data, and authentication tokens.
The current wave of attacks does not appear to be highly targeted. Instead, attackers are taking an opportunistic approach, scanning for and compromising every vulnerable Windows Server they can find on the internet by sending a specially crafted event to its WSUS service.
In response to the active exploitation, the Cybersecurity and Infrastructure Security Agency (CISA) has updated its initial alert with revised guidance on identifying vulnerable systems and detecting potential threat activity. The primary recommendation for all organizations using Windows Server with the WSUS role is to immediately identify vulnerable servers, apply the emergency security update for CVE-2025-59287, and perform a necessary reboot. CISA also advises that, in addition to monitoring endpoint security platforms, organizations should proactively investigate their networks for any signs of a security breach.
(Source: HelpNet Security)
