Remote Code Execution Vulnerabilities in Microsoft Update Services Exploited
A critical remote code execution (RCE) vulnerability was discovered in Microsoft's Update Health Tools (KB4023057), a utility designed to facilitate rapid security updates via Intune. Researchers found that a misconfiguration involving abandoned Azure blob storage allowed attackers to register a storage account and receive requests from vulnerable devices worldwide, enabling arbitrary code execution. Microsoft has since responded to the disclosure, and newer versions of the tool have addressed the issue, but devices running the original version remain at risk if not updated.
Separately, a remote code execution vulnerability in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287, was actively exploited by threat actors to deploy the ShadowPad backdoor malware. Attackers leveraged this flaw to gain system-level access using PowerCat and subsequently installed ShadowPad via certutil and curl. The exploitation of these vulnerabilities highlights the risks associated with update management tools and the importance of timely patching and secure configuration to prevent compromise by advanced persistent threats.
Sources
Related Stories
Microsoft WSUS Remote Code Execution Vulnerability Actively Exploited
Microsoft released an urgent out-of-band security update to address a critical remote code execution vulnerability in Windows Server Update Services (WSUS), identified as CVE-2025-59287. The flaw was reportedly under active exploitation in the wild, prompting Microsoft to issue a comprehensive fix outside of its regular update cycle. Security advisories and industry news highlighted the severity of the vulnerability and its inclusion in the U.S. CISA Known Exploited Vulnerabilities catalog, underscoring the immediate risk to organizations relying on WSUS for patch management. The vulnerability allowed attackers to potentially execute arbitrary code on affected WSUS servers, posing a significant threat to enterprise environments. Security experts urged organizations to apply the patch without delay to mitigate the risk of compromise. The rapid response from Microsoft and the attention from security agencies reflect the critical nature of the flaw and the ongoing threat landscape targeting core infrastructure components like WSUS.
4 months agoShadowPad Malware Deployed via Exploited WSUS CVE-2025-59287 Vulnerability
Threat actors have exploited a critical deserialization vulnerability in Microsoft Windows Server Update Services (WSUS), identified as CVE-2025-59287, to gain remote code execution with system privileges and deploy the ShadowPad backdoor. The attackers targeted publicly exposed WSUS-enabled Windows Servers, using the PowerCat utility to obtain a system shell and then leveraging legitimate Windows tools such as `curl.exe` and `certutil.exe` to download and install ShadowPad from an external server. ShadowPad, a modular backdoor associated with Chinese state-sponsored groups, is loaded via DLL side-loading techniques, specifically using a legitimate binary to execute a malicious DLL payload in memory. The vulnerability, which was patched by Microsoft in October, allows remote, unauthenticated attackers to trigger unsafe deserialization of `AuthorizationCookie` objects, leading to full system compromise. Security researchers from AhnLab and others have documented the attack chain, noting that the flaw has been added to CISA's Known Exploited Vulnerabilities catalog and that a public proof-of-concept exploit is available. The incident highlights the ongoing risk posed by unpatched WSUS servers and the sophisticated methods used by threat actors to maintain persistence and evade detection once ShadowPad is installed.
3 months agoActive Exploitation of WSUS Vulnerability and Urgent Security Guidance for Microsoft Exchange and WSUS Servers
Cybersecurity authorities including CISA and NSA, in collaboration with international partners, have issued urgent guidance to secure on-premise Microsoft Exchange Server and Windows Server Update Services (WSUS) instances. The recommendations emphasize restricting administrative access, enforcing multi-factor authentication, maintaining strict security baselines, and decommissioning end-of-life servers to mitigate ongoing threats. Organizations are urged to apply security updates promptly, enable advanced security features, and adopt zero trust principles to defend against persistent malicious activity targeting these critical Microsoft services. Simultaneously, a newly disclosed vulnerability in WSUS, tracked as CVE-2025-59287, is being actively exploited by cybercriminals to deploy the Skuld Stealer malware. Despite Microsoft's initial and subsequent out-of-band patches, attackers have leveraged the flaw to gain remote control over WSUS servers, using legitimate tools like PowerShell and cURL for malicious purposes. The exploitation prompted CISA to add the vulnerability to its list of known exploited vulnerabilities, underscoring the urgency for organizations to implement the latest security updates and follow best practices to protect their infrastructure.
4 months ago