Hackers Exploiting Windows Server Update Services Flaw To Stea...

Windows Server Update Services (WSUS) vulnerability is actively exploited in the wild. Criminals are using this vulnerability to steal sensitive data from organizations in various industries.

The vulnerability, tracked as CVE-2025-59287, was patched by Microsoft on October 14, 2025, but attackers quickly began abusing it after proof-of-concept code became publicly available on GitHub.

Sophos telemetry indicates that exploitation began on October 24, 2025, just hours after technical analysis and exploit code were released online.

The threat actors targeted internet-facing WSUS servers in universities, technology companies, manufacturing firms, and healthcare organizations, primarily based in the United States.

While Sophos has confirmed six incidents so far, security experts believe the actual number of compromised organizations is significantly higher.

Sophos researchers have identified real-world exploitation of a newly disclosed vulnerability in Windows Server Update Services (WSUS), where threat actors are harvesting sensitive data from organizations.

The exploitation leverages a critical deserialization bug in WSUS that allows unauthenticated remote code execution. When attackers target vulnerable servers, they inject Base64-encoded PowerShell commands through nested command processes running under IIS worker privileges.

The malicious script executes silently on compromised systems, gathering valuable intelligence about targeted organizations.

The harvested data includes external IP addresses and ports of vulnerable hosts, enumerated lists of Active Directory domain users, and detailed network interface configurations. This information is then exfiltrated to webhook.site URLs controlled by the attackers.

Sophos researchers discovered four unique webhook.site URLs associated with the attacks, with three linked to the platform’s free service tier.

Source: Cybersecurity News