Hackers Exploit WSUS Vulnerability to Steal Sensitive Organizational Data

Security researchers at Sophos have uncovered active exploitation of a critical vulnerability in Windows Server Update Services (WSUS) that enables threat actors to harvest sensitive organizational data without requiring authentication.

The flaw has emerged as a significant threat to enterprise networks, with attackers demonstrating rapid mobilization following the public disclosure of technical details.

Critical Vulnerability Draws Immediate Attention

The remote code execution vulnerability, designated as CVE-2025-59287, has attracted widespread exploitation attempts since Microsoft released security patches on October 14, 2025, with an additional emergency out-of-band update following on October 23.

The situation escalated dramatically when proof-of-concept code appeared on GitHub, triggering a wave of coordinated attacks against internet-facing WSUS servers within hours of the technical analysis becoming publicly available.

Sophos Counter Threat Unit researchers detected the first active exploitation on October 24, 2025, at 02:53 UTC, marking the beginning of systematic attacks targeting organizations across technology, healthcare, manufacturing, and educational sectors.

The exploitation campaign primarily affected organizations based in the United States, with preliminary analysis suggesting approximately 50 victims may have been compromised, though Sophos confirmed at least six incidents across their customer environments.

The exploitation technique observed by security researchers demonstrates advanced capabilities leveraging a deserialization bug within WSUS.

Threat actors execute Base64-encoded PowerShell commands through nested cmd.exe processes that run within IIS worker processes, establishing a foothold for data collection activities.

Once successfully deployed, the malicious PowerShell script systematically extracts critical organizational information, including external IP addresses and port configurations, comprehensive lists of Active Directory domain users, and detailed network interface configurations.

The harvested data is subsequently exfiltrated to an external webhook.site URLs controlled by the attackers, with the script automatically defaulting to native curl commands when initial upload attempts fail, ensuring successful data theft regardless of connectivity challenges.

Analysis of a publicly accessible webhook.site URLs revealed sensitive information dumps containing domain user details and network configurations from multiple organizations, including universities, technology companies, manufacturing firms, and healthcare providers.

The attackers’ decision to utilize free webhook.site services with visible request histories inadvertently allowed researchers to document the full extent of exploitation activity.

Between 02:53 UTC and 11:32 UTC on October 24, threat actors reached the maximum 100-request limit on available webhook URLs, demonstrating the intensive reconnaissance activity targeting vulnerable systems.

This concentrated timeframe highlights the coordinated nature of the exploitation campaign.

Security experts, alongside government agencies including CISA and NSA, are urging organizations to implement immediate protective measures.

Critical actions include applying available patches to all WSUS installations, identifying internet-exposed WSUS servers, and restricting access to WSUS ports 8530 and 8531 through network segmentation and firewall policies.

Organizations should also conduct thorough reviews of system logs for indicators of scanning and exploitation attempts.

The rapid exploitation of CVE-2025-59287 underscores the critical importance of timely patching and robust network segmentation in maintaining organizational security postures against increasingly sophisticated threat actors.

Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today