Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

WSUS servers CVE-2025-59287 exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 61
2 unique sources, 3 articles

Summary

Hide ▲

CVE-2025-59287 is being actively exploited against WSUS-enabled Windows Server systems, creating SYSTEM-level remote code execution risk on exposed servers. The wave matters because public proof-of-concept code accelerated abuse, and defenders have already observed scanning and exploitation attempts on 2025-10-24. Microsoft issued out-of-band fixes for affected Windows Server versions, while Eye Security and NCSC-NL warned that publicly reachable WSUS instances remain at elevated risk.

Cases

ShadowPad staging through WSUS RCE (3)

Related Happenings

Microsoft security patch release for CVE-2026-41091 and CVE-2026-45498

Security Patch Release
First: 21.05.2026 10:49 Last: 21.05.2026 10:49 Sources 1

About this happening: Microsoft rolled out security updates for Defender and related malware protection components to address two zero-days: CVE-2026-41091 and CVE-2026-45498. The fixes cover affected...

Latest development: 21.05.2026 12:52

Microsoft released patches for Microsoft Defender Antimalware Platform version 4.18.26040.7 to address CVE-2026-41091, a link-following privilege-escalation flaw that can let an authorized attacker elevate privileges locally to System, and CVE-2026-45498, a denial-of-service flaw. Microsoft said both vulnerabilities were publicly disclosed and exploited in the wild as zero-days. CISA added both flaws to its Known Exploited Vulnerabilities (KEV) list and urged federal agencies to patch them by June 3.

Open Happening

Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)

Vulnerability
First: 21.05.2026 10:49 Last: 21.05.2026 10:49 Sources 1

About this happening: Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...

Open Happening

Microsoft May 2026 Patch Tuesday release

Security Patch Release
First: 13.05.2026 13:36 Last: 13.05.2026 13:36 Sources 1

About this happening: Microsoft's **May 13, 2026 Patch Tuesday** release fixed **138 vulnerabilities** across its product portfolio, including **Windows**, **Azure**, and **Edge**. None of the flaws we...

Open Happening

Microsoft Windows 11 mandatory Patch Tuesday updates (KB5089549, KB5087420)

Security Patch Release
First: 12.05.2026 21:09 Last: 12.05.2026 21:09 Sources 1

About this happening: Microsoft released **mandatory Windows 11 cumulative updates** for **KB5089549** and **KB5087420**, delivering the **May 2026 Patch Tuesday** fixes for **120 vulnerabilities** acr...

Open Happening

Windows zero-day exploitation wave

Exploitation Wave
First: 17.04.2026 09:14 Last: 17.04.2026 09:14 Sources 1

About this happening: **BlueHammer**, **RedSun**, and **UnDefend** are being exploited in the wild against **Windows** devices, creating active risk of **SYSTEM** or elevated administrator compromise....

Latest development: 23.04.2026 14:05

CISA added BlueHammer, tracked as CVE-2026-33825, to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to patch Microsoft Defender on Windows systems within two weeks, until May 7. The federal directive targets ongoing zero-day abuse of the flaw on U.S. government systems.

Open Happening

Timeline

  1. 24.10.2025 19:28 3 articles · 7mo ago

    Microsoft releases emergency WSUS fixes

    Mitigation Patch Update

    Microsoft released out-of-band security updates for Windows Server 2025 (KB5070881), Windows Server, version 23H2 (KB5070879), Windows Server 2022 (KB5070884), Windows Server 2019 (KB5070883), Windows Server 2016 (KB5070882), Windows Server 2012 R2 (KB5070886), and Windows Server 2012 (KB5070887) to comprehensively address CVE-2025-59287, and advised administrators to install them as soon as possible or disable the WSUS Server role on vulnerable systems.

    Show sources
    Open in new tab
  2. 24.10.2025 19:28 1 articles · 7mo ago

    Eye Security observes exploitation attempts

    Exploitation Observed

    Eye Security observed scanning and exploitation attempts against CVE-2025-59287 on 2025-10-24, and at least one customer system was compromised using a different exploit than the HawkTrace proof-of-concept code.

    Show sources
    Open in new tab
  3. 24.10.2025 19:28 1 articles · 7mo ago

    Public WSUS exposure and PoC risk are confirmed

    Campaign Scope Update

    Eye Security estimated roughly 2,500 WSUS instances worldwide, including 250 in Germany and about 100 in the Netherlands, while the Netherlands National Cyber Security Centre (NCSC-NL) confirmed exploitation of CVE-2025-59287 and warned that publicly available proof-of-concept code increases the risk of abuse.

    Show sources
    Open in new tab