At least 50 organizations in the U.S. have been targeted by attacks exploiting a significant vulnerability in Windows Server Update Service (WSUS), according to cybersecurity firm Sophos. This vulnerability, identified as CVE-2025-59287, involves the deserialization of untrusted data. Despite a security update released by Microsoft in mid-October, it failed to protect against these threats, prompting the company to issue an emergency patch last week.
Sophos detected six incidents linked to this exploitation, though they believe that the actual number of victims exceeds 50. Rafe Pilling, director of threat intelligence at Sophos, remarked that this might indicate the start of a reconnaissance phase by attackers, who are likely analyzing the stolen data for further exploitation opportunities. The impacted organizations include technology firms, educational institutions, manufacturers, and healthcare providers.
Prior investigations by the Google Threat Intelligence Group connected the attacks to a hacking group known as UNC6512, which has conducted reconnaissance and data exfiltration from compromised systems. Research firm Eye Security has identified two separate actors involved in exploiting the vulnerability.
Sophos first reported signs of exploitation against its customers shortly after Microsoft issued the out-of-band patch on October 24. In the wake of these incidents, the Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities catalog and urged organizations to apply the Microsoft updates and check for any signs of compromise in their systems.