Threat actors are actively exploiting a recently patched critical vulnerability in Microsoft Windows Server Update Services (WSUS) to distribute the “ShadowPad” malware. Attackers use the flaw (CVE-2025-59287) to compromise the update server and then push malicious payloads to all connected client machines disguised as legitimate updates.
Business Impact
This is a highly effective supply chain-style attack within the corporate network. By compromising the internal update mechanism, attackers can bypass perimeter defenses and infect thousands of endpoints simultaneously with a sophisticated backdoor used by Chinese state-sponsored groups.
Why It Happened
The vulnerability allows unauthenticated attackers to inject malicious updates into the WSUS synchronization process. Organizations that delayed patching their internal WSUS servers are now being targeted by automated exploits.
Recommended Executive Action
Verify immediately that your WSUS servers are patched. If not, assume compromise. Direct the SOC to hunt for ShadowPad indicators (like specific DLL side-loading behaviors) on all endpoints that receive updates from the internal WSUS server.
Hashtags: #WSUS #ShadowPad #Malware #Microsoft #Vulnerability #SupplyChain #CyberSecurity #InfoSec #APT