CVE-2025-59287
Published Oct 14, 2025
Last updated 25 days ago
AI description
CVE-2025-59287 is a remote code execution vulnerability affecting the Windows Server Update Service (WSUS). The vulnerability stems from the deserialization of untrusted data within WSUS. An unauthenticated, remote attacker could exploit this vulnerability by sending a crafted event that triggers unsafe object deserialization within a legacy serialization mechanism. Successful exploitation allows the attacker to execute arbitrary code on the target system.
- Description
- Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.
- Source
- secure@microsoft.com
- NVD status
- Analyzed
- Products
- windows_server_2012, windows_server_2016, windows_server_2019, windows_server_2022, windows_server_2022_23h2, windows_server_2025
CVSS 3.1
- Type
- Secondary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
Data from CISA
- Vulnerability name
- Microsoft Windows Server Update Service (WSUS) Deserialization of Untrusted Data Vulnerability
- Exploit added on
- Oct 24, 2025
- Exploit action due
- Nov 14, 2025
- Required action
- Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
- secure@microsoft.com
- CWE-502
- Hype score
- Not currently trending
🚩 ShadowPad Malware Actively Exploits WSUS Vulnerability for Full System Access https://t.co/pOMMxFnhG1 Security teams warn that attackers are abusing a recently patched remote-code-execution flaw in Microsoft Windows Server Update Services (WSUS), tracked as CVE-2025-59287
@Huntio
4 Dec 2025
1977 Impressions
8 Retweets
23 Likes
5 Bookmarks
0 Replies
1 Quote
ShadowPad Malware Exploits WSUS Vulnerability for Full System Access 🚨💥 ShadowPad malware has been used to target Windows Servers with WSUS enabled, exploiting CVE-2025-59287 for initial access. Threat actors exploit this vulnerability to gain full system access. ⚠️ ht
@HackonomicNews
2 Dec 2025
61 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
WSUS servers just became a hacker's favorite backdoor. CVE-2025-59287 turns trusted update systems into remote code execution launchpads. If your organization relies on Windows Server Update Services, this vulnerability changes everything. Attackers with authenticated access can
@Optrics
2 Dec 2025
47 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-59287
@transilienceai
2 Dec 2025
43 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
#VulnerabilityReport #cybersecurity CRITICAL ALERT: Windows Server WSUS Flaw Actively Exploited (CVE-2025-59287, CVSS 9.8) https://t.co/pln1QJKNim
@Komodosec
30 Nov 2025
53 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
ShadowPad exploits WSUS RCE (CVE-2025-59287) to deliver payloads—patch WSUS now, monitor update traffic for anomalies. https://t.co/KBg8TEnh6o #infosec #CVE2025-59287 #RCE #Malware
@_UncleHacker_
30 Nov 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🐍 CVE-2025-59287 ⭐ 113 stars **"Découvrez l'exploitation critique de CVE-2025-59287 sur WSUS !"** #GitHub https://t.co/zuti3WiL9a
@clxymox
29 Nov 2025
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🔴 CRITICAL: KB5068787 patches 2 zero-days actively exploited in the wild 🛡️ CVE-2025-62215 — Windows Kernel privilege escalation 🛡️ CVE-2025-59287 — WSUS remote code execution (CVSS 9.8) ⏰ WSUS servers: Patch within 24-48 hours 📖 Full deployment guide + st
@ctrlaltnod
29 Nov 2025
100 Impressions
1 Retweet
2 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Microsoft Windows Server Update Services [—] Nov 28, 2025 Security advisory regarding CVE-2025-59287 exploitation in Microsoft Windows Server Update Services. Checkout our Threat Intelligence Platform: https://t.co/QuwNtEgYh1... https://t.co/CXM3ZJQnRY
@transilienceai
28 Nov 2025
52 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
ShadowPad Malware Actively Exploits WSUS Vulnerability (CVE-2025-59287) for Full System Access via @TheHackersNews #Proficio #ThreatNews #Cybersecurity #MSSP #MDR https://t.co/CNXqBlsgVa
@proficioinc
27 Nov 2025
78 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
ShadowPad malware riding a WSUS bug (CVE-2025-59287) to spy on networks. Yes, even fully patched servers were hit. SMBs: treat this as a data-breach drill. Verify WSUS patches, review logs, and lock down update servers now. https://t.co/PxrVGRkkMr #CyberSecurity #PatchManagement
@lowcountrycyber
26 Nov 2025
46 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actor exploiting CVE-2025-59287 (Windows WSUS Remote Code Execution Vulnerability) from AS 30236 ( CRONOMAGIC-1 ) 🇨🇦 VirusTotal Detections: 0/95 🟢 Link to event 👇 https://t.co/peqKMdDL47
@DefusedCyber
26 Nov 2025
4339 Impressions
0 Retweets
11 Likes
2 Bookmarks
0 Replies
1 Quote
ShadowPad Malware Exploits New Windows Bug Millions at Risk A newly patched Windows flaw (CVE-2025-59287) is being actively exploited to hijack WSUS servers the core of Windows updates. Hackers are using built-in tools like curl and certutil to quietly install the
@sddatech
25 Nov 2025
36 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
🚨 Hackers are using a fixed Windows bug (CVE-2025-59287) to spread ShadowPad malware through WSUS servers. They used normal Windows tools like curl and certutil to install it — a method seen before in Chinese hacking groups. Systems patched too late may have already been..
@bountyayush
25 Nov 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
ShadowPad riding in on WSUS? Attackers abused CVE-2025-59287 to push malware via a now-patched bug. If you run WSUS, unpatched boxes mean data theft and quiet snooping. Patch all update servers and hunt for odd WSUS activity. https://t.co/PxrVGRkkMr #CyberSecurity #PatchNow
@lowcountrycyber
25 Nov 2025
55 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Analysis of ShadowPad Attack Exploiting WSUS Remote Code Execution Vulnerability (CVE-2025-59287) Nov 19 2025 https://t.co/AL3X4xPdLJ
@tdatwja
25 Nov 2025
275 Impressions
0 Retweets
3 Likes
1 Bookmark
0 Replies
0 Quotes
Warning: Critical remote code execution vulnerability, CVE-2025-59287, in Windows Server Update Services (WSUS) is actively exploited by threat actors to deliver #ShadowPad malware for initial access. https://t.co/Ote3TnXqTQ #Patch #Patch #Patch
@CCBalert
25 Nov 2025
55 Impressions
1 Retweet
0 Likes
0 Bookmarks
0 Replies
0 Quotes
سائبر سیکیورٹی ماہرین نے خبردار کیا ہے کہ خطرناک مالویئر شیڈو پیڈ ونڈوز سرور اپڈیٹ سسٹم کی حال ہی میں پیچ کی گئی کمزوری (CVE-2025-59287) کا فائدہ اٹھاتے ہوئے سرور
@VisionPointPK
25 Nov 2025
36 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
AhnLab SEcurity intelligence Center (ASEC) researchers reported that threat actors exploited a recently patched WSUS flaw (CVE-2025-59287) to deliver the ShadowPad malware. https://t.co/aWtWOaBHLl
@cyberkilllist
25 Nov 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Attackers are exploiting the critical #WSUS flaw #CVE-2025-59287 to gain SYSTEM-level remote code execution and deploy #ShadowPad, a modular backdoor linked to Chinese state-sponsored actors. They use #PowerCat for shell access, then download the payload with tools like certutil
@ZeroDayFacts
25 Nov 2025
50 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🔸 گزارش جدید شرکت AhnLab نشان میدهد که بازیگران تهدید دولتی وابسته به چین در حال سوءاستفاده فعال از آسیبپذیری CVE-2025-59287 در Windows Server Update Services (WSUS) هستند. https
@nedawitter
25 Nov 2025
0 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Researchers reported that attackers exploited the patched WSUS flaw CVE-2025-59287 to deliver ShadowPad malware, using PowerCat for a shell and executing curl and certutil to install it, highlighting the critical need for organizations to patch and secur… https://t.co/9BVaq2UWd
@Cyber_O51NT
25 Nov 2025
740 Impressions
5 Retweets
8 Likes
1 Bookmark
0 Replies
0 Quotes
ShadowPadがWSUS脆弱性CVE-2025-59287を悪用しSYSTEM権限 https://t.co/RgyR9SMGnj #Security #セキュリティー #ニュース
@SecureShield_
25 Nov 2025
2 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Falha crítica no WSUS permite distribuição do malware ShadowPad: Ataques exploram a vulnerabilidade CVE-2025-59287 no Windows Server Update Services para instalar ShadowPad, um backdoor modular usado por grupos chineses, com execução remota e técnicas avançadas de persist
@caveiratech
24 Nov 2025
49 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
Threat actors leveraged the patched WSUS RCE (CVE-2025-59287) to drop ShadowPad, using a shell triggers log review for post-patch abuse. https://t.co/a88ydQxCKC #infosec #CVE2025-59287
@_UncleHacker_
24 Nov 2025
37 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
ShadowPad riding in on your Windows updates? Attackers abused a WSUS bug (CVE-2025-59287) to drop malware and spy on networks. SMBs: patch WSUS now or risk data theft and quiet espionage. Details: https://t.co/PxrVGRkkMr #CyberSecurity #PatchManagement
@lowcountrycyber
24 Nov 2025
35 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Technical Release Report: ShadowPad Delivered Through Active Exploitation of WSUS Critical Flaw #CVE-2025-59287 https://t.co/nJ9MPip9lt
@UndercodeNews
24 Nov 2025
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Analisi attacco ShadowPad che sfrutta CVE-2025-59287 su WSUS Guerra Cibernetica, ahnlab, apt, backdoor, cina, ShadowPad, WSUS https://t.co/7D6fL6Jutu https://t.co/H0q7ld2AND
@matricedigitale
24 Nov 2025
59 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨🚨Attackers are exploiting the critical WSUS flaw CVE-2025-59287 to gain SYSTEM-level remote code execution and deploy ShadowPad, a modular backdoor linked to Chinese state-sponsored actors. They use PowerCat for shell access, then download the payload with tools like htt
@H4ckmanac
24 Nov 2025
11841 Impressions
39 Retweets
105 Likes
39 Bookmarks
1 Reply
0 Quotes
ShadowPad malware is now being deployed through active exploitation of CVE-2025-59287 in WSUS. Attackers gain system-level access, use PowerCat for shells, then install ShadowPad via certutil/curl - all hidden through DLL side-loading. How prepared are orgs for attacks targeting
@TechNadu
24 Nov 2025
71 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
ShadowPad malware is actively exploiting the recently patched WSUS vulnerability CVE-2025-59287, enabling remote code execution and full system access via PowerShell tools. #ShadowPad #WSUSExploit #China https://t.co/Tf2DsFjwdA
@TweetThreatNews
24 Nov 2025
41 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Threat actors are exploiting a critical WSUS vulnerability (CVE-2025-59287) to deploy ShadowPad malware and gain full system access on Windows Servers. Update now! ⚠️ https://t.co/pFNConOsqQ #ShadowPad #WSUSExploit #CyberAttack #CVE202559287 #MalwareAlert
@0xT3chn0m4nc3r
24 Nov 2025
11 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
📌 استغل مخترقون ثغرة أمنية تم تصحيحها حديثًا في خدمة Windows Server Update Services (WSUS) لنشر برامج ضارة تُعرف باسم ShadowPad. وقد استهدف المعتدون خوادم ويندوز التي تدعم WSUS
@Cybercachear
24 Nov 2025
71 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Hackers are using a fixed Windows bug (CVE-2025-59287) to spread ShadowPad malware through WSUS servers. They used normal Windows tools like curl and certutil to install it — a method seen before in Chinese hacking groups. Systems patched too late may have already been h
@TheHackersNews
24 Nov 2025
79667 Impressions
131 Retweets
354 Likes
96 Bookmarks
4 Replies
7 Quotes
We’ve released updated information on vulnerable product identification & threat detections to address CVE-2025-59287, a critical remote code execution vulnerability affecting Windows Server Update Service. Review our Alert & take immediate action. https://t.co/jhHeTB98
@GlobalSecHQ
23 Nov 2025
4 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
WSUS RCE CVE-2025-59287 is under active exploit, with ShadowPad riding via compromised update chains. Kernel LPE CVE-2025-62215 also patched. Patch WSUS and Windows, then maybe breathe. #infosec https://t.co/Bv04pu4qas
@threatcluster
23 Nov 2025
55 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-59287
@transilienceai
23 Nov 2025
24 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-59287
@transilienceai
22 Nov 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Huntress uncovered threat actors exploiting WSUS RCE (CVE-2025-59287) to deploy Velociraptor via a malicious MSI from s3.wasabisys[.]com, setting up C2 through update[.]githubtestbak[.]workers[.]dev. #WSUSExploit #Velociraptor #USA https://t.co/y1YiQsutHW
@TweetThreatNews
22 Nov 2025
91 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-59287 Impact: Assessing Long-Term Costs & Security Posture https://t.co/PGXjtn12Z4
@centcapglobal
21 Nov 2025
18 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Patching CVE-2025-59287 is just the beginning. The real work is assessing the blast radius. This critical auth bypass flaw is a wake-up call for Zero Trust, exposing hidden costs & a deep trust deficit in core security tools. Are you truly secure? #Cyber… https://t.co/PGXjt
@centcapglobal
21 Nov 2025
31 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
A critical WSUS RCE (CVE-2025-59287) is being actively exploited to deploy the ShadowPad backdoor, using legit tools like certutil.exe and curl.exe. Attack linked to Chinese state-aligned APT groups. #WSUS #ShadowPad #China https://t.co/CE3vbenLbp
@TweetThreatNews
21 Nov 2025
7 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Analysis of ShadowPad Attack Exploiting WSUS Remote Code Execution Vulnerability (CVE-2025-59287) | ShadowPad is a backdoor malware used by numerous Chinese APT groups. AhnLab Security intelligence Center (ASEC) https://t.co/J45NRWgmaS https://t.co/YFtIGHE4mR
@780thC
20 Nov 2025
2208 Impressions
16 Retweets
37 Likes
13 Bookmarks
1 Reply
0 Quotes
🔎WSUS의 원격 코드 실행 취약점(CVE-2025-59287)을 악용해 ShadowPad 악성코드를 유포하는 공격 정황이 확인되었습니다. 해당 취약점을 악용한 초기 침투 과정과 ShadowPad 악성코드의 동작 방식 및 대응 방안을 확인해 보
@AhnLab_SecuInfo
20 Nov 2025
747 Impressions
4 Retweets
15 Likes
3 Bookmarks
0 Replies
0 Quotes
#threatreport #LowCompleteness Microsoft Issues Emergency Patch for Windows Server Update Services RCE Vulnerability CVE-2025-59287 | 14-11-2025 Source: https://t.co/Hop7hAdFR0 Key details below ↓ 💀Threats: Supply_chain_technique, 🎯Victims: Windows server users, Wsus us
@rst_cloud
17 Nov 2025
108 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
0 Quotes
🔒 Cybersecurity Weekend Briefing (Nov 15-16) ⚠️ CRITICAL: WSUS flaw (CVE-2025-59287) actively exploited - CISA emergency directive issued for federal networks. Patch immediately! 👥 Data breach alert: Chinese cyber firm leak exposes state-sponsored hacking operations
@RoryCrave
17 Nov 2025
28 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Actively exploited CVE : CVE-2025-59287
@transilienceai
16 Nov 2025
21 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Actively exploited CVE : CVE-2025-59287
@transilienceai
15 Nov 2025
10 Impressions
0 Retweets
0 Likes
0 Bookmarks
1 Reply
0 Quotes
Eine neue kritische WSUS-Schwachstelle (CVE-2025-59287) zeigt: Selbst unsere Update-Systeme können zum größten Risiko werden. Warum diese Lücke ein Weckruf für echte Sicherheitsresilienz ist – und was Organisationen jetzt sofort tun müssen. > Zum Artikel:
@KvinneGmbh
13 Nov 2025
26 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
Understanding Windows WSUS exploit CVE-2025-59287 with code - https://t.co/0pwMeYEWJp https://t.co/XWcpcGXi6Z
@markpahulje
12 Nov 2025
70 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"negate": false,
"cpeMatch": [
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "A7DF96F8-BA6A-4780-9CA3-F719B3F81074"
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "DB18C4CE-5917-401E-ACF7-2747084FD36E"
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "7200EF9B-2689-4E9E-BE9E-E00836A7D284",
"versionEndExcluding": "10.0.14393.8524"
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2019:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "D9DDF9BE-8D0B-4027-B3F7-FFD96438E3EB",
"versionEndExcluding": "10.0.17763.7922"
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2022:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "BDAC36D7-54A0-456B-B176-17A0B9E63C7A",
"versionEndExcluding": "10.0.20348.4297"
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2022_23h2:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "FBA85BFD-9802-452E-97B1-6380554EF254",
"versionEndExcluding": "10.0.25398.1916"
},
{
"criteria": "cpe:2.3:o:microsoft:windows_server_2025:*:*:*:*:*:*:*:*",
"vulnerable": true,
"matchCriteriaId": "2E5FFF5B-8745-47F6-A0B7-262AA43353BB",
"versionEndExcluding": "10.0.26100.6905"
}
],
"operator": "OR"
}
]
}
]