Security teams have observed attackers exploiting the recently patched Windows Server Update Services vulnerability CVE-2025-59287 to install infostealer malware on unpatched Windows servers with the WSUS role exposed to the internet. A proof-of-concept exploit had been published before the emergency patch and researchers say the fix could be reverse-engineered, enabling active exploitation; early activity was reported in multiple incidents including a PoC exploit and an Eye Security report.
Industry researchers described the vulnerability as unsafe deserialization of untrusted data that can be triggered via several endpoints, including a specially crafted request to the GetCookie endpoint and the ReportingWebService, which misuse legacy formatters to deserialize objects. Palo Alto Networks threat analysts provided technical details of these paths and said exploitation can result in execution of arbitrary code with high system privileges.
Incident responders reported a range of post-exploitation behaviours. Huntress observed attackers performing network reconnaissance, data collection and exfiltration, and staging for lateral movement and credential harvesting in successful breaches. Eye Security said only a few of its customers were affected so far and that it expects ransomware groups could leverage the flaw, though it had not seen ransoms tied to this vulnerability at the time of its report.
Sophos researchers found evidence that attackers exfiltrated data to two webhook.site URLs and that the stolen content included domain user and interface information from universities and organisations in technology, manufacturing and healthcare, with most victims in the United States; Sophos also noted that Censys scan data correlated affected public interfaces to Windows servers with default WSUS ports 8530 and 8531 exposed.
Other analysis identified follow-up tooling and payloads. Darktrace analysts reported cases where attackers downloaded the legitimate DFIR tool Velociraptor to establish a tunnel for command-and-control and then fetched an UPX-packed Windows binary that contained the open-source Skuld Stealer, capable of harvesting crypto wallets, files, system information and browser tokens; Darktrace published their findings on varied post-exploitation activity.
Federal and industry guidance advises organisations to identify vulnerable WSUS servers, apply the out-of-band security update for CVE-2025-59287 and reboot affected systems, and to investigate signs of compromise. The Cybersecurity and Infrastructure Security Agency has updated its alert with revised detection guidance and product identification information.