ShadowPad staging through WSUS RCE

**CVE-2025-59287** is a **critical WSUS RCE flaw** in **Windows Server Update Services** that can put update infrastructure at risk. Microsoft patched the bug in **October 2025**, and recent reporting says **threat actors** are exploiting it on **WSUS-enabled Windows Servers** for **initial access**. In the observed activity, attackers used **PowerCat**, **certutil.exe**, and **curl.exe** to reach an external server and deploy **ShadowPad** via **DLL side-loading**. The exploit can enable **remote code execution with system privileges**, making exposed WSUS instances a high-priority target.

**CVE-2025-59287** is being actively exploited against **WSUS-enabled Windows Server** systems, creating **SYSTEM-level remote code execution** risk on exposed servers. The wave matters because **public proof-of-concept code** accelerated abuse, and defenders have already observed **scanning and exploitation attempts** on **2025-10-24**. **Microsoft** issued out-of-band fixes for affected Windows Server versions, while **Eye Security** and **NCSC-NL** warned that publicly reachable WSUS instances remain at elevated risk.

**Microsoft** released **out-of-band** security updates for **CVE-2025-59287**, a critical **WSUS** remote code execution flaw affecting **Windows Server** systems with the **WSUS Server Role** enabled. The emergency patches address a bug with **publicly available proof-of-concept exploit code**, raising the urgency for administrators running exposed update servers. Microsoft also advised immediate installation or temporary workarounds such as disabling WSUS or blocking **Ports 8530 and 8531**.