Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Windows Server Update Service RCE bug (CVE-2025-59287)

Vulnerability
First reported
Last updated
Happening score
H score 59
3 unique sources, 3 articles

Summary

Hide ▲

CVE-2025-59287 is a critical WSUS RCE flaw in Windows Server Update Services that can put update infrastructure at risk. Microsoft patched the bug in October 2025, and recent reporting says threat actors are exploiting it on WSUS-enabled Windows Servers for initial access. In the observed activity, attackers used PowerCat, certutil.exe, and curl.exe to reach an external server and deploy ShadowPad via DLL side-loading. The exploit can enable remote code execution with system privileges, making exposed WSUS instances a high-priority target.

Cases

ShadowPad staging through WSUS RCE (3)

Related Happenings

Rwl.angular-console (Nx Console) hit by network compromise

Incident
First: 19.05.2026 10:49 Last: 19.05.2026 10:49 Sources 1

About this happening: The **Nx Console** extension **rwl.angular-console 18.95.0** was compromised on the **VS Code Marketplace**, exposing **developers** to a **credential-stealing** payload and suppl...

Open Happening

Microsoft Defender false-positively flags DigiCert root certificates and removes some from Windows trust store

Security Tool/Service
First: 03.05.2026 21:11 Last: 03.05.2026 21:11 Sources 1

About this happening: **Microsoft Defender** began falsely flagging valid **DigiCert root certificates** as **Trojan:Win32/Cerdigent.A!dha**, creating widespread false positives and risking certificate...

Open Happening

SolarWinds Web Help Desk (WHD) multi-stage exploitation wave

Exploitation Wave
First: 09.02.2026 16:42 Last: 09.02.2026 16:42 Sources 1

About this happening: **SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...

Latest development: 10.03.2026 08:17

CISA added CVE-2025-26399 in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation, said Microsoft and Huntress had reported threat actors using SolarWinds Web Help Desk flaws to obtain initial access, attributed the activity to the Warlock ransomware crew, and ordered Federal Civilian Executive Branch (FCEB) agencies to apply the fix by March 12, 2026.

Open Happening

Windows PowerShell 5.1 Invoke-WebRequest script-execution mitigation (CVE-2025-54100)

Advisory/Mitigation
First: 09.12.2025 22:45 Last: 09.12.2025 22:45 Sources 1

About this happening: **Microsoft** added a security confirmation prompt to **Windows PowerShell 5.1** so **Invoke-WebRequest** does not silently parse web pages in a way that could run embedded script...

Open Happening

ShadowPad malware deployed via WSUS exploitation

Malware Activity
First: 24.11.2025 09:18 Last: 24.11.2025 09:18 Sources 1

How related: "They then used PowerCat, an open-source PowerShell-based Netcat utility, to obtain a system shell (CMD). Subsequently, they downloaded and installed ShadowPad using certutil and curl."

About this happening: **ShadowPad** was **downloaded and installed** on **Windows Server WSUS** systems after attackers exploited **CVE-2025-59287**, extending the impact of the flaw beyond initial acc...

Open Happening

Timeline

  1. 15.10.2025 00:53 4 articles · 7mo ago

    Microsoft discloses WSUS RCE bug

    Initial Disclosure

    Microsoft disclosed CVE-2025-59287, a CVSS 9.8 remote code execution flaw in Windows Server Update Service (WSUS), and tagged it as a vulnerability attackers are more likely to exploit. WSUS is used to centrally distribute and manage updates and patches, so organizations running the service should prioritize remediation to reduce the risk of compromise of the update infrastructure.

    Show sources
    Open in new tab