ShadowPad staging through WSUS RCE

Attackers are exploiting **CVE-2025-59287** in **Windows Server Update Services (WSUS)** to turn exposed update servers into a live remote-code-execution path. The flaw affects **WSUS-enabled Windows Server** systems and can yield **SYSTEM-level** execution, making public WSUS deployments especially high-risk. Microsoft said it fixed the issue in **October 2025**, and public proof-of-concept code later increased the abuse risk. One observed intrusion chain used **PowerCat** to open a shell, then ran `certutil.exe` and `curl.exe` to contact `149.28.78[.]189:42306` and fetch **ShadowPad**. The malware was installed through **DLL side-loading** with `ETDCtrlHelper.exe` and `ETDApix.dll`. Eye Security saw scanning and exploitation attempts on **2025-10-24**, and **NCSC-NL** confirmed the activity. Available evidence puts the public WSUS exposure surface at roughly **2,500 instances worldwide**, with about **250 in Germany** and about **100 in the Netherlands**. Available evidence also says at least one customer system was compromised with a different exploit than the HawkTrace proof-of-concept. Microsoft later issued out-of-band security updates for affected Windows Server versions and provided temporary workarounds for systems that could not be patched immediately.