Windows Server Update Service RCE bug (CVE-2025-59287)
Vulnerability
Summary
Hide ▲
Show ▼
CVE-2025-59287 is a critical WSUS RCE flaw in Windows Server Update Services that can put update infrastructure at risk. Microsoft patched the bug in October 2025, and recent reporting says threat actors are exploiting it on WSUS-enabled Windows Servers for initial access. In the observed activity, attackers used PowerCat, certutil.exe, and curl.exe to reach an external server and deploy ShadowPad via DLL side-loading. The exploit can enable remote code execution with system privileges, making exposed WSUS instances a high-priority target.
Cases
Related Happenings
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
Vulnerability
H score39
First: 10.06.2026 02:11
Last: 10.06.2026 02:11
Sources 1
About this happening:
Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Microsoft Defender RoguePlanet race-condition zero-day remote code execution flaw
VulnerabilityAbout this happening: Microsoft Defender zero-day RoguePlanet is a race-condition flaw affecting fully patched Windows 10 and Windows 11 systems. A public proof-of-concept exploit was released shortly...
Latest development: 10.06.2026 08:22
The anonymous security researcher Chaotic Eclipse, also known as Nightmare-Eclipse, released a proof-of-concept (PoC) exploit for the Microsoft Defender zero-day RoguePlanet under a new GitHub account named MSNightmare. The race-condition exploit can yield a SYSTEM-level shell and arbitrary code execution when it succeeds, has been tested on Windows 11 and Windows 10 with the June 2026 Patch Tuesday updates installed, and currently does not work on Windows Server without redesign because standard users cannot mount an ISO image.
Rwl.angular-console (Nx Console) hit by network compromise
Incident
H score41
First: 19.05.2026 10:49
Last: 19.05.2026 10:49
Sources 1
About this happening:
The **Nx Console** extension **rwl.angular-console 18.95.0** was compromised on the **VS Code Marketplace**, exposing **developers** to a **credential-stealing** payload and suppl...
Rwl.angular-console (Nx Console) hit by network compromise
IncidentAbout this happening: The **Nx Console** extension **rwl.angular-console 18.95.0** was compromised on the **VS Code Marketplace**, exposing **developers** to a **credential-stealing** payload and suppl...
Microsoft Defender false-positively flags DigiCert root certificates and removes some from Windows trust store
Security Tool/Service
H score10
First: 03.05.2026 21:11
Last: 03.05.2026 21:11
Sources 1
About this happening:
**Microsoft Defender** began falsely flagging valid **DigiCert root certificates** as **Trojan:Win32/Cerdigent.A!dha**, creating widespread false positives and risking certificate...
Microsoft Defender false-positively flags DigiCert root certificates and removes some from Windows trust store
Security Tool/ServiceAbout this happening: **Microsoft Defender** began falsely flagging valid **DigiCert root certificates** as **Trojan:Win32/Cerdigent.A!dha**, creating widespread false positives and risking certificate...
Windows zero-day exploitation wave
Exploitation Wave
H score38
First: 17.04.2026 09:14
Last: 17.04.2026 09:14
Sources 1
About this happening:
**BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Windows zero-day exploitation wave
Exploitation WaveAbout this happening: **BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....
Latest development: 23.04.2026 14:05
CISA added BlueHammer, tracked as CVE-2026-33825, to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch Microsoft Defender on Windows systems within two weeks, until May 7. The federal directive targets ongoing zero-day abuse of the flaw on U.S. government systems.
SolarWinds Web Help Desk (WHD) multi-stage exploitation wave
Exploitation Wave
H score63
First: 09.02.2026 16:42
Last: 09.02.2026 16:42
Sources 1
About this happening:
**SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...
SolarWinds Web Help Desk (WHD) multi-stage exploitation wave
Exploitation WaveAbout this happening: **SolarWinds Web Help Desk (WHD)** exploitation is a **multi-stage intrusion wave** affecting **internet-exposed WHD instances**. The foothold remains unconfirmed, but the wave is...
Latest development: 10.03.2026 08:17
CISA added CVE-2025-26399 in SolarWinds Web Help Desk to its Known Exploited Vulnerabilities (KEV) catalog after evidence of active exploitation, said Microsoft and Huntress had reported threat actors using SolarWinds Web Help Desk flaws to obtain initial access, attributed the activity to the Warlock ransomware crew, and ordered Federal Civilian Executive Branch (FCEB) agencies to apply the fix by March 12, 2026.
Timeline
-
15.10.2025 00:53 4 articles · 8mo ago
Microsoft discloses WSUS RCE bug
Initial DisclosureMicrosoft disclosed CVE-2025-59287, a CVSS 9.8 remote code execution flaw in Windows Server Update Service (WSUS), and tagged it as a vulnerability attackers are more likely to exploit. WSUS is used to centrally distribute and manage updates and patches, so organizations running the service should prioritize remediation to reduce the risk of compromise of the update infrastructure.
Show sources
- Microsoft Drops Terrifyingly Large October Patch Update — www.darkreading.com — 15.10.2025 00:53
- Microsoft Drops Terrifyingly Large October Patch Update — www.darkreading.com — 15.10.2025 00:53
- ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access — thehackernews.com — 24.11.2025 09:18
- Microsoft: Patch for WSUS flaw disabled Windows Server hotpatching — www.bleepingcomputer.com — 03.11.2025 17:22